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PREFACE 


The  purpose  of  this  book  is  to  provide  a  textbook  for  advanced  training 
course.  The  content  of  the  book  tries  to  address  the  challenges  posed  to 
legal  system  by  information  systems,  by  clarifying  how  some  significant 
phenomena  stand  from  the  legal  viewpoint.  Based  on  the  relativity  of  the 
concept  of  cybersecurity,  Chapter  II  analyzes  the  economic  impact  of 
cyber  security  breaches,  identifies  cybersecurity  as  a  private  good  that 
should  be  provided  mainly  by  the  private  sector.  However,  public  provision 
is  also  necessary  when  severe  security  breaches  occur  and  liability 
mechanisms  should  be  triggered. 

In  Chapter  III， it  has  been  recognized  that,  while  information 
systems  provide  modern  society  with  great  convenience,  it  also  poses  new 
problems  in  maintaining  social  order.  One  of  its  negative  influences  is  the 
anonymity  of  cyberspace,  which  makes  identity  tracing  a  noteworthy 
predicament  which  poses  obstacles  in  detection  and  investigations.  It  has 
been  found  that  cyber  anonymity  has  critical  impacts  on  criminal 
motivation,  and  the  phenomena  of  victimization,  and  should  be  tackled  on 
different  layers  including  technology  and  law  enforcement.  The  article 
explores  how  the  anonymity  symbolizes  the  cyberspace,  what  threats  are 
posed  by  cyber  anonymity  against  social  order,  what  potentialities  the 
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anonymity  has,  how  the  trans-territorial  anonymity  was  facilitated,  and 
the  real  impact  of  anonymity  on  law  and  order  in  the  information  society. 

The  purpose  of  Chapter  IV  is  to  present  an  updated  profile  of 
cybercriminality  and  cybervictimization  based  on  a  sample  of  115  typical 
cases  prosecuted.  The  study  found  that  males  are  responsible  for  a 
majority  of  these  cybercrimes.  The  cybercriminals  distribute  primarily 
among  the  ages  between  17  to  45  years  old.  Domestic  perpetrators 
constitute  the  absolute  majority  of  the  cyb er criminal s .  Outsiders  are  four 
times  more  likely  to  be  involved  in  cybercrimes  than  insiders.  Most 
cybercrimes  did  not  involve  monetary  loss,  while  the  other  cybercrimes 
caused  an  average  of  one  million  dollars  of  damage.  The  primarily 
endangered  interests  are  of  private  sector.  The  guardianship  of  the  victims 
is  surprisingly  weak,  vulnerable  to  the  uncomplicated  cybercrimes.  The 
punishments  (both  imprisonment  and  fine)  against  cybercrime  are 
generally  light. 

Chapter  V  discusses  about  cyberstalking.  Shortly  after  traditional 
stalking  had  been  criminalized,  new  approaches  for  stalking  emerged  as 
the  adoption  of  some  high  technological  inventions  were  used  in 
monitoring  people’s  activities.  Based  on  the  recognition  of  stalking  as  a 
kind  of  long-existing  human-human  observation,  this  article  expatiates  on 
recent  development  that  can  be  expressed  as  from  traditional  stalking  to 
cyberstalking  by  presenting  particular  power  of  information  and 
communications  technology  and  search  engines.  The  article  discusses  the 
ambiguous  limit  between  searching  and  stalking.  This  article  also 
considers  an  emerging  phenomenon  that  stalking  is  being  socialized 
through  the  pervasion  of  online  social  network  services. 

The  purpose  of  Chapter  VI  is  to  explore  the  legal  solutions  to 
unsolicited  commercial  e-mail.  The  advantages  of  e-mail  enable  it  to  be 
one  of  the  most  important  e-marketing  instruments.  Spammers  are  also 
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motivated  by  potential  profits  in  spamming.  The  low  costs  and  high 
benefits  of  the  spammers,  and  the  high  costs  and  low  benefits  of  the 
spammed  determine  the  illegal  nature  of  the  spamming.  The  spam  poses 
challenges  for  e-mail  recipients’  property  rights,  fair  trade,  public  morals, 
cyber  security,  personal  data  protection,  and  involves  other  concerns  as 
well.  In  dealing  with  spam,  technical  and  marketing  solutions  cannot  work 
alone  without  the  legal  mechanisms.  The  legal  regulation  is  justified  by 
balancing  the  interest  between  senders,  service  providers  and  even  users. 
Criminal  sanctions,  civil  remedies,  and  international  harmonization  are 
alternative  steps  in  establishing  legal  solutions.  As  a  necessary  part  of  the 
legislation,  punishment  for  unsolicited  commercial  e-mails  should  be  more 
severe.  Still， there  are  a  number  of  limitations  to  the  effectiveness  of  law 
enforcement  against  spamming.  Spam  must  be  eliminated  by 
comprehensive  mechanisms. 

Chapter  VII  focuses  on  the  extension  of  victimization  of  unsolicited 
messages  e-mail  with  attachments.  Based  on  the  analysis  of  a  sample  of 
501  pieces  of  unsolicited  e-mail  messages  with  attachments,  the  study 
finds  that  e-mail  account  exposing  and  seeking  can  both  contribute  to 
victimization;  while  the  receiving  of  unsolicited  messages  is  just  the  initial 
victimization,  the  reading  and  reacting  to  the  messages  could  lead  to 
further  victimization  of  virus  attack  or  financial  fraud,  and  to  conspiracy 
in  illegitimate  operations  such  as  tax  evasion  or  purchase  of  falsified 
documents. 

Chapter  VIII  discusses  broadly  about  cyber  warfare.  Cyber  warfare  is 
increasingly  listed  alongside  nuclear,  chemical,  and  biological  weapons  as 
a  potential  weapon  of  mass  destruction.  Interest  in  and  concerns  for  cyber 
warfare  have  also  been  prevalent  for  decades.  War-oriented  writer  usually 
exploited  such  serious  and  expensive  terms  as  cyber  war,  information  war, 
and  electronic  war  to  spread  their  impetuous  and  cheap  ideas.  This  essay 
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by  no  means  devaluates  serious  designs  and  plans,  studies  and  research, 
ideas  and  claims  revolving  around  cyber  warfare.  Rather,  the  purpose  of 
this  Chapter  is  to  analyze  existing  jokes,  hoaxes  and  hypes  on  the  so-called 
cyber  warfare,  so  as  to  distance  serious  research  from  misleading 
information. 

Chapter  IX  deals  with  spyware.  Spyware  poses  a  substantial  menace 
to  security,  integrity  and  confidentiality  of  information  systems. 
Originating  from  online  commercial  advertising  strategies,  spyware  can  be 
used  to  deceive  users,  forcibly  modify  system,  and  secretly  collect 
information  from  host  computer.  Basic  consensus  can  be  reached  on  the 
definition  of  spyware  upon  two  factors:  unauthorized  installation  and 
compromising  data.  This  Chapter  puts  spyware  on  a  platform  of  social 
legal  phenomena,  giving  a  review  of  taxonomy,  characteristics,  threatened 
interests  and  interest  group  revolving  around  the  standpoints  for  and 
against  the  prohibition  of  spyware.  Upon  its  appearances,  the  Chapter 
takes  a  look  at  current  legal  actions  against  spyware.  To  some  extent, 
existing  laws  provide  effective  means  for  combating  some  specific  spyware- 
related  activities. 

Chapter  X  explores  into  economic  approach  to  cyber  crime.  The  classic 
economic  analysis  of  crime  is  limited  to  handful  offences.  The  application 
of  this  approach  to  cybercrime  is  one  of  the  efforts  in  expanding  the 
research  field  and  has  significance  in  designing  the  framework  of 
legislation  and  law  enforcement.  The  article  analyzes  the  deterrence  from 
the  aspects  of  probability  of  detection  and  severity  of  punishment. 
Cybercrime  has  different  characteristics  with  most  traditional  offences 
and  challenges  some  aspects  of  the  previous  models  and  explanations 
based  on  the  hypothesis  of  rational  offender.  The  low  probability  of 
detection  decided  by  the  universality,  concealment,  complex, 
expensiveness,  and  rapid  rampancy  of  cybercrime  obstruct  the  function  of 
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deterrence  by  punishment.  The  expected  utility  of  the  offender  is  to  a 
certain  extent  promoted  by  the  low  probability  of  detection, 
notwithstanding  the  punishments  in  individual  cases  may  be  severe.  The 
instauration  of  cyber  police  and  the  implementation  of  severe  punishment 
leave  no  marginal  deterrence  at  the  current  technological  level.  The  ways 
to  improving  the  deterrence  are  to  adopt  techniques  to  increase  probability 
of  detection， conviction,  and  sentence,  and  to  enhance  international  legal 
co-ordination  and  co-operation  to  eliminate  safe  haven. 

Finally， Chapter  XI  concludes  the  whole  book  by  emphasizing  that 
cybercrimes  are  different  from  traditional  crimes  and  thus  pose  new 
challenges  to  the  legal  systems,  and  that  criminal  law  plays  a  necessary 
but  limited  role  in  combating  cyber  crime.  The  vulnerabilities  should  be 
eliminated  by  technological  means,  while  the  motives  should  be  eliminated 
by  legal  instruments. 

Keywords:  cyberspce,  cybersecurity,  cybercrime,  cyberstalking, 

cyberwarfare,  unsolicited  e-mail 


9 


10 


Table  of  Contents 

PREFACE . 5 

LIST  OF  FIGURES . 13 

LIST  OF  TABLES . 15 

CHAPTER  I  INTRODUCTION . 17 

Insecure  cyberspace . 17 

Structure  of  this  book . 19 

CHAPTER  II  CYBERSECURITY  AS  A  RELATIVE  CONCEPT . 25 

Introduction . 25 

Impact  of  Cyber  security  Breaches . 26 

Provision  of  Cybersecurity  as  a  Private  Good . 31 

Public  Provision  of  Cybersecurity:  Liability  Mechanisms . 35 

Conclusion . 41 

CHAPTER  III  IMPACT  OF  ANONYMITY  ON  CYBERSECURITY . 46 

Potentiality  of  Anonymity . 53 

Trans  -  territorial  Anonymity . 59 

CHAPTER  IV  HALLMARKS  OF  PROSECUTED  CYBERCRIME . 75 

Introduction . 75 

Literature  review . 76 

Methods . 82 

Results . 83 

Discussion  and  conclusion . 91 

CHAPTER  V  CYBERSTALKING . 96 

Introduction . 96 

The  Internet  makes  stalking  different . 98 

Human  flesh  search  engine:  enabling  the  unable . 105 

Searching  or  stalking:  an  ambiguous  limit . 108 

Conclusion . 112 

CHAPTER  VI  UNSOLOCITED  COMMERCIAL  E-MAIL . 117 

Introduction . 117 

Background  and  definition  of  spam . 118 

Comparison  between  traditional  and  e-mail  advertisements . 121 


li 


Challenges  of  spam  to  the  society . 128 

Costs  and  benefits  of  the  spammer  and  the  spammed . 131 

The  limitation  of  technological  and  market  solutions . 136 

Legal  regulations  on  spam . 138 

Conclusion . 154 

CHAPTER  VII  UNSOLICITED  E-MAIL  WITH  ATTACHMENTS . 161 

Introduction . 161 

Literature  review . 162 

Findings . 168 

Discussion . 187 

Conclusion . 191 

CHAPTER  VIII  CYBER  WARFARE? . 197 

Introduction . 197 

How  to  write  “the  scariest  cyber  warfare  article” . 200 

April  Fool’s  joke . 204 

Rise  and  fall  of  Estonian  cyber  war  hoax . 205 

A  “cyber  warfare”  years  before . 207 

Conclusion . 210 

CHAPTER  IX  SPYWARE  AND  SPY  AFFAIR . 213 

Spyware:  a  security  issue,  not  a  definition  issue . 213 

Spyware  for  spy  affairs . 216 

Spyware  and  spy  ways . 218 

Spyware  as  a  business . 220 

Cerebration  of  international  and  domestic  legal  actions  against 

spyware . 226 

Conclusion . 234 

CHAPTER  X  ECONOMIC  APPROACH  TO  CYBERCRIME . 240 

General  theory  of  punishment  in  law  and  economics . 240 

Factors  influencing  the  detection  and  conviction  probability  of 

cybercrime . 243 

Factors  influencing  the  severity  of  punishment  against  cybercrime . 257 

Conclusion . 261 

CHAPTER  XI  CONCLUSIONS . 269 


12 


LIST  OF  FIGURES 


Figure  1  Types  of  File  Formats  of  Attachments . 170 

Figure  2  Sizes  of  Messages  with  Attachments . 172 


Figure  3  Percentile  of  Some  Special  Sizes  of  Messages  with  Attachments 

. 172 

Figure  4  Types  of  Sender  Column  in  Unsolicited  Messages  with 

Attachments . 177 

Figure  5  Types  of  Subject  Column  in  Unsolicited  Messages  with 

Attachments . 179 

Figure  6  Types  of  Content  of  Messages  with  Attachments . 183 

Figure  7  Types  of  Contact  Method  Provided  in  Unsolicited  Messages  with 

Attachments . 186 

Figure  8  Extent  of  progress  on  updating  cybercrime  laws . 256 


13 


14 


LIST  OF  TABLES 


Table  1  Classical  division  of  goods  in  economy . 31 

Table  2  Ways  of  provision  of  private  goods  and  public  goods . 32 

Table  3  Comparison  between  traditional  advertisements  and  e-mail 

advertisements . 122 

Table  4  Comparisons  between  Opt-in  and  Opt-out  (Hong  Kong  Information 

Security  Website,  2005) . 142 

Table  5  Legislation  Modes  concerning  Labeling . 146 

Table  6  Legislation  Modes  concerning  Identity . 148 

Table  7  Types  of  File  Formats  of  Attachments . 169 

Table  8  Sizes  of  Messages  with  Attachments . 171 

Table  9  Compare  of  Average  Sizes  of  Messages . 173 

Table  10  Types  of  Sender  Column  in  Unsolicited  Messages  with 

Attachments . 174 

Table  11  Valid  Sender  column  in  Unsolicited  Message  with  Attachments 

. 176 

Table  12  Types  of  Subject  Column  in  Unsolicited  Messages  with 

Attachments . 178 

Table  13  Valid  Subject  Column  in  Unsolicited  Messages  with  Attachments 

. 179 

Table  14  Types  of  Content  of  Messages  with  Attachments . 181 

Table  15  Valid  Content  in  Unsolicited  Messages  with  Attachments . 183 

Table  16  Types  of  Contact  Method  Provided  in  Unsolicited  Messages  with 

Attachments . 185 

Table  17  Validity  and  Falsity  of  Sender  and  Subject  Columns  and  Content 

Separately . 186 

Table  18  Validity  and  Falsity  of  Either  Subject  or  Sender  Column . 187 

Table  19  Online  Use  of  Cyber  War  Terms . 198 

Table  20  Attitude  of  Involved  Players  in  Spyware  Business . 222 


15 


16 


CHAPTER  I  INTRODUCTION 


Insecure  cyberspace 


Recent  decades  have  witnessed  a  golden  age  in  social  history,  previously 
symbolized  by  long  wars  and  disasters,  but  now  showing  a  scene  of 
unparalleled  development  in  information  and  communications  technology 
(ICT)  and  related  material  forms  of  computers  and  networks.  In  both 
academic  and  popular  discourses,  newly-coined  words  indicate  that  the 
information  age  has  arrived  and  an  information  society  has  emerged.  The 
transition  eliminated  primary  obstacles  to  information  accessibility. 

As  one  of  the  fast  increasing  fields,  Social  Networking  Services  (SNSs) 
spread  in  a  surprising  rhythm  into  contemporary  social  life.  While  the 
number  of  users  of  the  SNSs  is  not  available,  it  was  estimated  that  among 
Internet  users,  about  74%  of  online  adults  use  social  networking  sites 
(Pew  Research  Center  2015).  In  fact,  at  present,  SNSs  are  used  in  a  broad 
range  of  mobile  devices， such  as  smart  phones,  cameras,  media  players, 
tablets  and  phablets， and  notebook  PCs,  which  are  usually  connected  to 
the  networks  when  they  are  in  use. 

Unfortunately,  information  systems  are  likely  to  crash,  and  likely  to 
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cause  disputes  and  lawsuits.  Furthermore,  the  order  of  cyberspace,  closely 
associated  with  the  welfare  of  citizens,  the  security  of  businesses,  and  the 
stability  of  society  is,  however,  becoming  increasingly  significant,  due  to 
increased  scale  of  the  online  population  to  over  one -sixth  of  the 
inhabitants  of  the  globe  (for  an  exploration  of  social  order  in  cyberspace， 
see  Li  2014， Li  2015).  What  is  problematic  in  the  landscape  of  the  social 
sciences  is  that  many  technological  loopholes  are  constantly  being 
exploited  with  malicious  intent,  while  technological  opportunities  are,  at 
the  same  time， generating  various  benefits  as  well.  Hence  chaos,  disorder, 
social  problems,  and  more  severely,  crimes  pose  great  threats  to  the 
security,  reliability,  and  credibility  of  the  information  society. 

Cyber  security  has  extended  its  influence  into  “meat  space”， that  is, 
real  society,  and  caused  widespread  concerns  among  various  entities  (Li 
2006).  Cybercrimes,  criminal  offences  committed  by  netizens  in 
cyberspace,  are  new  variants  of  criminal  phenomena.  This  raises  many 
questions  as  to  whether  the  existing  legal  system  has  the  capability  of 
deterring  cybercrimes. 

The  development  of  crime  is  closely  related  to  social  transformation 
at  both  the  micro  and  the  macro  levels.  In  the  temporal  dimension,  the 
change  of  criminal  law  over  time  necessitates  legal  reform,  while  in  the 
spatial  dimension,  the  difference  in  criminal  laws  between  the  various 
countries  requires  international  harmonization.  As  a  social  phenomenon, 
crimes  change  with  the  development  of  society.  It  has  previously  been 
recognized  that  with  the  advent  of  ICT， social  change  brought  about  by 
technology  is  capable  of  occurring  with  devastating  rapidity. 

In  order  for  our  society  to  continue  to  flourish,  legal  certainty  should 
be  extended  to  guarantee  that  criminal  activities  committed  in  cyberspace 
are  punished  in  the  physical  world. 
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Structure  of  this  book 


After  this  Introduction,  to  address  the  challenges  posed  to  criminal  law  by 
information  systems,  it  is  necessary  to  clarify  how  the  phenomenon  stands 
from  the  legal  viewpoint.  Based  on  the  relativity  of  the  concept  of 
cybersecurity,  Chapter  II  analyzes  the  economic  impact  of  cyber  security 
breaches,  identifies  cybersecurity  as  aprivate  good  that  should  be  provided 
mainly  by  the  private  sector.  However,  public  provision  is  also  necessary 
when  severe  security  breaches  occur  and  liability  mechanisms  should  be 
triggered. 

In  Chapter  III， it  has  been  recognized  that,  while  information 
systems  provide  modern  society  with  great  convenience,  it  also  poses  new 
problems  in  maintaining  social  order.  One  of  its  negative  influences  is  the 
anonymity  of  cyberspace,  which  makes  identity  tracing  a  noteworthy 
predicament  which  poses  obstacles  in  detection  and  investigations.  It  has 
been  found  that  cyber  anonymity  has  critical  impacts  on  criminal 
motivation,  and  the  phenomena  of  victimization,  and  should  be  tackled  on 
different  layers  including  technology  and  law  enforcement.  The  article 
explores  how  the  anonymity  symbolizes  the  cyberspace,  what  threats  are 
posed  by  cyber  anonymity  against  social  order,  what  potentialities  the 
anonymity  has,  how  the  trans-territorial  anonymity  was  facilitated,  and 
the  real  impact  of  anonymity  on  law  and  order  in  the  information  society. 

The  purpose  of  Chapter  IV  is  to  present  an  updated  profile  of 
cybercriminality  and  cybervictimization  based  on  practical  materials.  The 
study  used  a  sample  of  115  typical  cases  prosecuted  (during  18  March 
1998  to  12  May  2006)， published  officially  on  the  web  site  of  the  United 
States  Department  of  Justice.  The  study  found  that  males  are  responsible 
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for  a  majority  of  these  cybercrimes.  The  cybercriminals  distribute 
primarily  among  the  ages  between  17  to  45  years  old.  Domestic 
perpetrators  constitute  the  absolute  majority  of  the  cybercriminals. 
Outsiders  are  four  times  more  likely  to  be  involved  in  cybercrimes  than 
insiders.  Most  cybercrimes  did  not  involve  monetary  loss， while  the  other 
cybercrimes  caused  an  average  of  one  million  dollars  of  damage.  The 
primarily  endangered  interests  are  of  private  sector.  The  guardianship  of 
the  victims  is  surprisingly  weak,  vulnerable  to  the  uncomplicated 
cybercrimes.  The  punishments  (both  imprisonment  and  fine)  against 
cybercrime  are  generally  light. 

Chapter  V  discusses  about  cyberstalking.  Shortly  after  traditional 
stalking  had  been  criminalized,  new  approaches  for  stalking  emerged  as 
the  adoption  of  some  high  technological  inventions  were  used  in 
monitoring  people’s  activities.  Based  on  the  recognition  of  stalking  as  a 
kind  of  long-existing  human-human  observation,  this  article  expatiates  on 
recent  development  that  can  be  expressed  as  from  traditional  stalking  to 
cyberstalking  by  presenting  particular  power  of  information  and 
communications  technology  and  search  engines.  The  article  discusses  the 
ambiguous  limit  between  searching  and  stalking.  This  article  also 
considers  an  emerging  phenomenon  that  stalking  is  being  socialized 
through  the  pervasion  of  online  social  network  services. 

The  purpose  of  Chapter  VI  is  to  explore  the  legal  solutions  to 
unsolicited  commercial  e-mail.  The  advantages  of  e-mail  enable  it  to  be 
one  of  the  most  important  e-marketing  instruments.  Spammers  are  also 
motivated  by  potential  profits  in  spamming.  The  low  costs  and  high 
benefits  of  the  spammers,  and  the  high  costs  and  low  benefits  of  the 
spammed  determine  the  illegal  nature  of  the  spamming.  The  spam  poses 
challenges  for  e-mail  recipients’  property  rights,  fair  trade,  public  morals, 
cybersecurity,  personal  data  protection,  and  involves  other  concerns  as 
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well.  In  dealing  with  spam,  technical  and  marketing  solutions  cannot  work 
alone  without  the  legal  mechanisms.  The  legal  regulation  is  justified  by 
balancing  the  interest  between  senders,  service  providers  and  even  users. 
Criminal  sanctions,  civil  remedies,  and  international  harmonization  are 
alternative  steps  in  establishing  legal  solutions.  As  a  necessary  part  of  the 
legislation,  punishment  for  unsolicited  commercial  e-mails  should  be  more 
severe.  Still， there  are  a  number  of  limitations  to  the  effectiveness  of  law 
enforcement  against  spamming.  Spam  must  be  eliminated  by 
comprehensive  mechanisms. 

Chapter  VII  focuses  on  the  extension  of  victimization  of  unsolicited 
messages  e-mail  with  attachments.  Based  on  the  analysis  of  a  sample  of 
501  pieces  of  unsolicited  e-mail  messages  with  attachments,  the  study 
finds  that  e-mail  account  exposing  and  seeking  can  both  contribute  to 
victimization;  while  the  receiving  of  unsolicited  messages  is  just  the  initial 
victimization,  the  reading  and  reacting  to  the  messages  could  lead  to 
further  victimization  of  virus  attack  or  financial  fraud,  and  to  conspiracy 
in  illegitimate  operations  such  as  tax  evasion  or  purchase  of  falsified 
documents. 


Chapter  VIII  discusses  broadly  about  cyber  warfare.  Cyber  warfare  is 
increasingly  listed  alongside  nuclear,  chemical,  and  biological  weapons  as 
a  potential  weapon  of  mass  destruction.  Interest  in  and  concerns  for  cyber 
warfare  have  also  been  prevalent  for  decades.  War-oriented  writer  usually 
exploited  such  serious  and  expensive  terms  as  cyber  war,  information  war, 
and  electronic  war  to  spread  their  impetuous  and  cheap  ideas.  This  essay 
by  no  means  devaluates  serious  designs  and  plans,  studies  and  research, 
ideas  and  claims  revolving  around  cyber  warfare.  Rather,  the  purpose  of 
this  Chapter  is  to  analyze  existing  jokes,  hoaxes  and  hypes  on  the  so-called 
cyber  warfare,  so  as  to  distance  serious  research  from  misleading 
information. 
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Chapter  IX  deals  with  spyware.  Spyware  poses  a  substantial  menace 
to  security,  integrity  and  confidentiality  of  information  systems. 
Originating  from  online  commercial  advertising  strategies,  spyware  can  be 
used  to  deceive  users,  forcibly  modify  system,  and  secretly  collect 
information  from  host  computer.  Basic  consensus  can  be  reached  on  the 
definition  of  spyware  upon  two  factors:  unauthorized  installation  and 
compromising  data.  This  Chapter  puts  spyware  on  a  platform  of  social 
legal  phenomena,  giving  a  review  of  taxonomy,  characteristics,  threatened 
interests  and  interest  group  revolving  around  the  standpoints  for  and 
against  the  prohibition  of  spyware.  Upon  its  appearances,  the  Chapter 
takes  a  look  at  current  legal  actions  against  spyware.  To  some  extent, 
existing  laws  provide  effective  means  for  combating  some  specific  spyware- 
related  activities. 

Chapter  X  explores  into  economic  approach  to  cyber  crime.  Modern 
economic  approach  to  crime  seeks  to  observe  criminal  behaviour  in  the 
light  of  pure  economic  factors.  While  abundant  literatures  address  the 
issue,  the  economic  dimension  of  crime  is  an  underdeveloped  perspective. 
The  classic  economic  analysis  of  crime  is  limited  to  handful  offences.  The 
application  of  this  approach  to  cybercrime  is  one  of  the  efforts  in 
expanding  the  research  field  and  has  significance  in  designing  the 
framework  of  legislation  and  law  enforcement.  The  article  analyzes  the 
deterrence  from  the  aspects  of  probability  of  detection  and  severity  of 
punishment.  Cybercrime  has  different  characteristics  with  most 
traditional  offences  and  challenges  some  aspects  of  the  previous  models 
and  explanations  based  on  the  hypothesis  of  rational  offender.  The  low 
probability  of  detection  decided  by  the  universality,  concealment,  complex, 
expensiveness,  and  rapid  rampancy  of  cybercrime  obstruct  the  function  of 
deterrence  by  punishment.  The  expected  utility  of  the  offender  is  to  a 
certain  extent  promoted  by  the  low  probability  of  detection, 
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notwithstanding  the  punishments  in  individual  cases  may  be  severe.  The 
instauration  of  cyber  police  and  the  implementation  of  severe  punishment 
leave  no  marginal  deterrence  at  the  current  technological  level.  The  ways 
to  improving  the  deterrence  are  to  adopt  techniques  to  increase  probability 
of  detection,  conviction,  and  sentence， and  to  enhance  international  legal 
co-ordination  and  co-operation  to  eliminate  safe  haven. 

Finally,  Chapter  XI  concludes  the  whole  book  by  emphasizing  that 
cybercrimes  are  different  from  traditional  crimes  and  thus  pose  new 
challenges  to  the  legal  systems,  and  that  criminal  law  plays  a  necessary 
but  limited  role  in  combating  cyber  crime.  With  the  routinization  of  the 
phenomenon  of  cybercrime,  criminal-law  reform  will  slow  down.  Overall, 
solutions  should  be  found  from  the  impacts  of  vulnerabilities  and  motives. 
The  vulnerabilities  should  be  eliminated  by  technological  means,  while 
the  motives  should  be  eliminated  by  legal  instruments. 


References 

1.  Internetworldstats.com.  2015.  Internet  Usage  Statistics-The  Big 
Picture.  Retrieved  15  February  2016，  from 
http://www.internetworldstats.com/stats.htm. 

2.  Li,  X.  2006.  Cyber  security  as  a  Relative  Concept.  Information  & 
Security:  An  International  Journal,  18,  pp.  11-24. 

3.  Li,  X.  2014.  Exploring  into  regulatory  mode  for  social  order  in 
cyberspace.  Webology,  11  (2)， 1-8. 

4.  Li,  X.  2015.  Cyberspace  and  the  Informed  Rationality  of  Law. 
The  Romanian  Journal  of  Sociology,  26,  pp.  3-27. 

5.  Pew  Research  Center.  (2015).  Social  Networking  Fact  Sheet. 

Retrieved  15  February  2016，  from 


23 


http://www.pewinternet.org/fact-sheets/social-networking-fact- 

sheet/ 


24 


CHAPTER  II  CYBERSECURITY  AS  A  RELATIVE 
CONCEPT 


Introduction 


The  Internet  has  become  a  critical  infrastructure  for  both  public  and 
private  sectors  and  has  brought  new  levels  of  productivity,  convenience， 
and  efficiency.  The  increasing  incidents  of  Internet  attacks  representing 
examples  of  how  vulnerable  the  information  systems  are,  how  far  the 
offensive  technology  outpaces  the  defensive  technology,  how  easy  various 
malicious  programs  are  created  and  how  smart  they  can  spread  all  over 
the  Internet  rapidly,  have  started  to  impact  the  practical  facets  of  our  lives. 
At  the  same  time,  the  attackers  are  able  to  conceal  their  attacks  by 
disabling  logging  facilities  or  modifying  event  logs,  so  their  activity  goes 
undetected.  Even  worse,  some  automated  programs  have  been  designed  to 
specifically  disable  anti-virus  software  or  penetrate  firewalls.  The  security 
violations  have  multi- dimensional  impacts  on  both  consumers  and 
businesses,  including  time,  human  resources,  monetary  losses  and 
psychological  losses. 

The  Internet  and  the  larger  information  infrastructure  are  not  secure 
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(National  Research  Council  1996).  McCormick  identified  five  reasons  why 
Internet  is  vulnerable:  failing  to  enforce  policies,  ignoring  new 
vulnerabilities,  relying  too  much  on  technology,  failing  to  thoroughly 
investigate  job  candidates,  and  expecting  too  much  from  technical  skills 
(McComick  2005).  These  risks  cause  serious  insecurity  problems  in  the 
information  society  (Farmer  1996). 

While  the  governments  have  made  efforts  to  better  secure  their  own 
computer  networks  to  prevent  terrorists  from  hacking  into  computer 
systems,  the  governments  have  been  increasingly  concerned  that  the 
private  sector  is  vulnerable  to  cyberterrorism .  The  question  being  asked  is 
whether  private  businesses  provide  enough  cybersecurity,  or  some  form  of 
government  involvement  is  justified.  Many  empirical  studies  examined  the 
economic  impact  of  cybersecurity  breaches.  Theories  diversify  in  regarding 
the  cybersecurity  as  an  externality  (Chandler  2004)， a  public  good  (Coyne 
and  Leesen  2005),  or  a  private  good  (Powell  2001). 

Based  on  the  concept  of  relative  cybersecurity,  this  Chapter  analyzes 
the  economic  impact  of  cybersecurity  breaches,  whether  cybersecurity  is  a 
public  good  or  a  private  good.  It  also  establishes  liability  mechanism  for 
cyber  security  breaches. 


Impact  of  Cybersecurity  Breaches 


Increasing  Investment  of  Users  in  Cyber  security 


The  users’  investment  in  cybersecurity  takes  on  the  tendency  of  increasing. 
Although  exact  statistics  on  these  expenditures  is  unavailable,  the  add-up 
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of  global  users’  financial  costs  will  reach  a  surprising  figure.  According  to  a 
survey  conducted  by  the  Computer  Security  Institute  (CSI)  and  the 
Federal  Bureau  of  Investigation  (FBI),  nearly  all  of  the  companies 
surveyed  in  2005  used  anti-virus  software,  firewall,  and  some  measures  of 
access  control.  Besides  the  hardware  and  software,  the  organizational 
users  also  have  to  employ  security  personnel  or  institutions  to  maintain 
their  systems.  These  measures  induce  the  increase  of  the  investment  of 
network  users.  But  in  fact,  security  measures  can  hardly  ever  be  a  perfect 
assurance  against  damage  and  accidents.  Absolute  security  becomes  too 
expensive  to  be  reasonable  (Daler,  Gulbrandsen,  Melgrd,  and  Sjolstad 
1989,  p.  15). 


Frequent  Occurrence  of  Cyber  security  Breaches 


Although  the  investment  in  cybersecurity  is  increasing  year  by  year,  the 
breaches  still  occur  frequently.  The  potential  for  information  security 
breaches,  as  well  as  the  magnitude  of  potential  losses  associated  with  such 
breaches,  has  been  confirmed  by  empirical  studies. 

The  annual  surveys  on  information  security  breaches  have  pointed 
out  that  cybersecurity  breaches  are  ubiquitous.  The  2005  survey 
conducted  by  CSI  and  FBI  revealed  that  56  percent  of  the  surveyed  693 
U.S.  computer  security  practitioners  acknowledged  unauthorized  use  of  a 
computer  in  their  organization  in  the  last  12  months  (Gordon,  Loeb， 
Lucyshyn,  and  Richasrdson  2005,  p.  11). 

CERT  Coordination  Center  reported  that  the  computer  security 
vulnerabilities  increased  nearly  35 -fold  during  one  decade  with  171 
separate  holes  reported  in  1995  and  5,990  reported  in  2005  (CERT 
Coordination  Center  2005).  In  the  recent  years,  the  publicly  disclosed 
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virus  attacks  are  billing  the  global  computer  users  in  an  accelerated  speed, 
even  though  many  of  the  users  are  unaware  of,  or  unwilling  to  report  the 
losses. 


Increasing  Costs  of  Cyber  security  Breaches 


As  a  consequence  of  the  frequent  occurrence  of  cybersecurity  breaches,  the 
losses  of  these  breaches  are  increasing  as  well.  The  losses  can  be  divided 
into  direct  and  indirect,  tangible  and  intangible,  and  short-term  and  long¬ 
term.  Neumann  stated  that  costs  of  cybercrime  are  difficult  to  measure; 
however,  these  costs  are  reasonably  substantial  and  growing  rapidly 
(Neumann  1999).  Scholars  proposed  various  models  to  try  to  measure  the 
costs  of  security  breaches,  such  as  in  the  Forrester  Research.  Howe  and 
colleagues’  analysis  indicated  that,  if  the  perpetrators  were  to  unlawfully 
transfer  $1  million  from  an  online  bank,  the  financial  influence  to  the 
bank  would  reach  $106  million  (Howe,  McCarthy,  Buss,  and  Davis  1998). 

The  direct  losses  are  those  directly  involved  in  the  attacks,  including 
interruption  of  business,  destruction  of  software  and  hardware, 
expenditure  on  recovering  the  systems,  installation  and  update  of  security 
means,  recruiting  security  personnel,  etc.  The  indirect  losses  are  losses 
indirectly  related  to  the  attacks， such  as  reduction  of  consumers,  decrease 
of  stock  prices,  etc.  The  other  kinds  of  losses  are  also  easy  to  emerge. 

The  2005  CSI/FBI  survey  noted  that,  of  the  639  respondents  that 
were  willing  and/or  able  to  estimate  losses  due  to  security  breaches,  such 
breaches  resulted  in  losses  close  to  $130  million  (Gordon,  Loeb， Lucyshyn, 
and  Richasrdson  2005， p.  15).  On  the  other  hand,  Lukasik  claims  that 
cybercrime  costs  are  essentially  doubling  each  year  (Lukasik  2000).  The 
problem  becomes  even  more  complex  when  one  considers  the  “black  figure” 
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of  these  crimes.  Ullman  and  Ferrer  a  mentioned  that,  according  to  FBI 
estimates,  only  17  percent  of  computer  crimes  are  reported  to  government 
authorities  (Ullman  and  Ferrera  1998). 


Relativity  of  the  Cyber  security  Concept 

There  are  various  answers  to  the  question  “What  is  cybersecurity 
Cyber  security  is  a  comparative  concept.  On  one  hand,  it  includes  the 
comparison  between  security  and  attack  techniques.  On  the  other  hand,  it 
includes  comparison  between  different  security  techniques  and  measures. 
Considering  the  comparison  between  the  techniques  for  security  and 
attack,  it  is  publicly  well  recognized  that  the  attack  techniques  develop 
faster  than  the  security  techniques,  regardless  of  the  reasons.  In  other 
words,  the  hardware,  the  software,  or  the  other  information  system 
components  are  always  vulnerable  and  this  fact  can  be  exploited.  We  could 
call  this  the  absolute  level  of  security.  Considering  the  comparison 
between  the  different  security  techniques,  the  existence  of  different 
environments,  the  possession  of  different  hardware,  software  and  other 
equipment,  and  the  adoption  of  different  security  techniques,  all  this  leads 
to  difference  in  the  level  of  security.  Therefore,  each  of  the  individual  or 
organizational  users  has  a  different  security  level. 

Some  viewpoints  regard  cyber  security  as  an  externality  (Camp  and 
Wolfram  2000,  pp.  31-39).  Camp  and  Wolfram  point  out  that  if  a  company 
does  a  poor  job  at  cybersecurity,  other  companies  may  be  affected 
negatively.  Thus,  the  cost  is  an  externality  to  the  owner  of  the  infected 
machine  (ibid.).  However,  if  we  identify  cybersecurity  as  an  externality,  it 
is  inevitable  that  to  the  extent  investments  in  computer  security  create 
positive  externalities,  too  little  will  be  provided. 
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Security  is  not  the  reason  that  drives  the  attackers  to  violate  security 
and  launch  attacks,  nor  the  condition  that  facilitates  the  attacks,  but  the 
target  that  the  attacks  aim  at.  In  fact,  there  is  no  clear  boundary  between 
security  and  insecurity.  Security  and  insecurity  have  only  quantitative 
difference,  but  no  quality  distinction.  Neither  absolute  security  nor 
complete  insecurity  exists.  That  is  to  say,  security  and  insecurity  should 
be  considered  as  security  between  zero  percent  and  100  percent.  Therefore, 
security  is  a  relative  concept.  The  security  of  a  higher  level  is  security, 
while  the  security  of  a  lower  level  is  insecurity. 

Although  the  information  systems  on  the  Internet  all  have  a  similar 
framework,  they  lack  any  central  control  system  and  are  uncontrollable. 
Not  only  the  physical  system,  but  also  the  operational  process  is 
uncontrollable.  Thus,  to  a  great  extent,  the  security  of  the  Internet 
depends  on  the  security  measures  taken  by  the  end  users,  either 
individuals  or  organizations.  However,  the  security  measures  of  individual 
and  organizational  users  are  widely  different  due  to  the  difference  in 
hardware,  software， and  human  resources. 

The  level  of  security  of  the  end  users  on  the  network  is  different;  an 
absolute  value  of  security  does  not  exist.  Security  is  just  a  comparison  of 
relative  values.  It  is  both  the  result  of  comparison  between  users  and  the 
comparison  between  past  and  present,  i.e.， horizontal  and  vertical 
comparison.  Due  to  the  large  number  of  network  users  and  the  rapid 
change  in  the  network  environment,  the  result  of  this  comparison  changes 
constantly.  In  general,  a  higher  level  security  will  change  quickly  into  a 
lower  level  security  (insecurity)  with  transformation  of  techniques  and  the 
environment.  Therefore,  the  cybersecurity  measures  have  to  be  updated 
and  renewed  timely,  frequently,  and  efficiently. 

If  the  cybersecurity  measures  cannot  be  updated  and  renewed  in  a 
timely,  frequent  and  efficient  manner,  vulnerabilities  might  occur. 
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Vulnerability  is  not  the  security  or  insecurity  themselves,  but  a  factor  that 
makes  it  impossible  to  realize  perfect  security,  and  an  extra  loophole 
caused  by  the  external  factors  in  the  investor’s  production  of  the  expected 
complete  security.  It  is  the  natural  adversary  of  the  security  product,  i.e.， 
flaws  that  can  be  detected  and  exploited  by  the  potential  attackers  to 
commit  harm  and  cause  loss. 


Table  1  Classical  division  of  goods  in  economy 


Classic  division  of  goods 

in  economy 

Exclusion  from  consumption 

YES 

NO 

Competition  in 

YES 

private  good:  food, 

common  good:  natural 

consumption 

clothing,  toys,  furniture, 

environment 

cars 

NO 

club  good:  private  schools, 

public  good:  national  security 

cinemas,  clubs, 

(army  and  police  forces) 

Source:  Wikipedia,  at  http://en.wikipedia.org/wiki/Good_%28economics%29. 


Provision  of  Cybersecurity  as  a  Private  Good 


In  economics,  goods  are  traditionally  classified  into  four  categories  as 
listed  in  Table  1.  Besides  other  issues,  private  good  and  public  good  can  be 
generally  regarded  as  a  pair  of  opposites.  The  main  features  of  the  private 
good  are  excludability  and  rivalry. 

According  to  Samuelson  (1954)， public  good  is  a  good  that  produces  a 


positive  externality  and  which  is  characterized  by  non-rival  consumption 
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and  non-excludability.  The  private  provision  of  private  goods,  or  public 
provision  of  public  goods  are  not  the  unique  ways  in  providing  these  two 
kinds  of  goods  (let  us  not  consider  the  other  kinds  of  goods  here).  The  ways 
of  provision  of  these  two  kinds  of  goods  can  be  illustrated  as  shown  in 
Table  2. 


Table  2  Ways  of  provision  of  private  goods  and  public  goods 


Different  ways 

of  provision  of 

different  goods 

Private 

provision 

Government 

provision 

Mixed  Provision 

Private  goods 

clothes,  food, 

car,  private 

housing 

food  supply  as  in 

communist 

China  in  end 

1950s 

transportation, 

medical  care 

Public  goods 

foreign  aid 

national  defence 

pollution 

reduction 

The  public  good  is  usually  confronted  with  the  problem  of  being 
underprovided  or  not  being  provided  when  it  is  put  on  the  private  market. 
Such  a  problem  appears  in  providing  cybersecurity.  Generally,  a  higher 
level  of  cyber  security  would  benefit  both  the  individual  or  organizational 
owner  and  users  other  than  the  owner.  Because  insecure  computers  are 
vulnerable  to  be  manipulated  to  launch  attacks  against  other  computers, 
it  is  reasonable  to  assume  that  if  an  owner  maintains  a  higher  level  of 
cyber  security,  the  other  users’  computers  may  experience  a  lesser  risk  of 
being  attacked. 

Then  the  other  users  would  have  the  good  reason  to  reduce  their 
investment  in  security  protection.  The  computer  users’  security  provision 
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only  diminishes  the  probability  of  the  others’  computers  being  attacked. 
However,  since  individuals  are  not  generally  liable  for  the  damage  caused 
when  a  hacker  uses  their  computer,  they  do  not  benefit  from  the  increased 
security  (V arian  2002).  And  because  users  with  ability  to  provide  security 
do  not  benefit,  they  will  fail  to  provide  it.  The  same  applies  to  other 
computer  owners,  and， therefore,  everybody  is  in  a  worse  situation  than 
would  be  if  everyone  provided  the  security  that  would  have  spillover 
benefits  for  everyone  else. 


As  we  have  seen,  cybersecurity  is  both  excludable  and  rivalrous. 
Cyber  security  has  neither  territorial  boundary  nor  industrial  limit.  In  the 
global  village,  all  individuals  and  organizations  are  confronted  with  risks 
of  the  same  level.  In  this  environment,  the  security  of  individuals  or 
organizations’  systems  matters  firstly  to  themselves.  Only  in  some 
accidental  situations  are  others  involved,  such  as  in  the  case  of  DOS 
attacks. 

Powell  provides  evidence  from  the  financial  services  industry  to  prove 
that  cybersecurity  is  hardly  a  public  good  (Powell  2001).  Individuals  and 
organizations  have  excludability  in  cyber  security.  The  excludability  of 
cyber  security  roots  in  the  three  characteristics  of  cybersecurity,  i.e.， 
confidentiality,  integrity  and  availability,  among  which  confidentiality 
fully  expresses  the  excludability  of  cybersecurity.  We  could  see  the 
situation  this  way:  if  security  is  available  to  one  user,  it  is  unavailable  to 
other  users,  and  if  others  enjoy  security,  ones’  security  does  not  exist  any 
longer.  Unsurprisingly,  cyber  security  is  characterized  as  preservation  of 
confidentiality,  ensuring  that  information  is  accessible  only  to  those 
authorized  to  have  access;  integrity,  safeguarding  the  accuracy  and 
completeness  of  information  and  processing  methods;  availability, 
ensuring  that  authorized  users  have  access  to  information  and  associated 
assets  when  required.  The  users’  security  is  enjoyed  solely  by  themselves. 


33 


Any  sharing  entails  that  systems  become  insecure.  In  fact,  hackers  are 
precisely  the  exploiters  and  sharers  of  insecure  systems.  Therefore, 
cyber  security  has  more  excludability  than  any  private  good. 

On  the  other  hand,  the  cost  of  expanding  security  to  others  is  not  zero, 
but  enormously  high.  If  one  user  enjoys  a  higher  level  of  security,  the  level 
of  security  of  the  others  will  relatively  decrease.  As  mentioned  above, 
there  is  no  perfect  security.  Security  and  insecurity  are  relative  concepts 
that  exist  in  comparisons.  If  one  enjoys  a  higher  level  of  cybersecurity,  the 
level  of  security  of  the  others  will  decrease  to  insecurity.  The  competition 
between  the  security  measures  is  the  reason  that  causes  increase  of  the 
difference  between  the  relative  securities.  Of  course,  the  enhancement  of 
the  total  security  level  benefits  from  that  competition. 

Katyal’s  study  stresses  that  to  some  extent  private  security  measures 
may  increase  crime  (Katyal  2005).  The  basic  assumption  behind  this 
argument  is  that,  if  one  household  locks  its  door,  the  thief  will  turn  to  the 
neighbor  whose  doors  are  left  unlocked.  Therefore,  locking  of  one’s  own 
door  breaks  the  reciprocity  and  mutual  trust  in  the  neighborhood.  If  we 
consider  the  fact  that  currently  nearly  all  households,  companies,  and 
even  government  agencies  “lock  their  own  doors，’’  we  can  easily  conclude 
that  this  assumption  is  absurd.  Only  when  every  household,  company  and 
governmental  agency  is  convinced  not  to  take  such  “inefficient”  measures 
is  such  an  assumption  significant.  The  author  believes  that  such  an 
assumption  ignores  the  dual  value  of  locking  in  the  prevention  of  crime:  on 
one  hand， locking  protects  from  damage  and  harm,  making  the  potential 
criminals  shrink  back  at  the  sight,  or  taking  criminals  more  time  before 
suffering  losses;  on  the  other  hand， locking  increases  the  potential 
criminals’  time  consumption  and  material  costs  in  looking  for  new  victims， 
and  even  making  it  impossible  for  them  to  find  one.  If  none  of  the 
households  and  organizations  locks  their  doors,  potential  criminals  can 
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easily  find  possible  targets.  Therefore,  the  difficulty  of  crime  will  decrease, 
and  the  efficiency  will  increase.  The  potential  criminals  are  indifferent 
about  costs,  benefits,  likelihood  of  success. 

This  pertains  particularly  to  cybersecurity.  If  every  computer  owner 
is  encouraged  not  to  use  security  control,  the  computer  will  be  more 
vulnerable  to  attacks.  Assuming  that  the  environment  and  the  potential  of 
all  individual  and  organizations’  computers  are  the  same  and  the  risk  of 
being  attacked  is  also  approximately  similar,  then  only  when  the  benefits 
related  to  cyber  security  are  equal  could  the  provision  of  public 
cyber  security  be  efficient.  But  this  situation  rarely  exists  in  reality. 
Therefore,  an  unlimited  public  cyber  security  would  be  excessive  for  some 
individuals  and  organizations  and  insufficient  for  others.  The  situation  of 
abundance  is  economically  inefficient,  while  the  situation  of  insufficiency 
is  inefficient  in  terms  of  security.  Hence,  both  ways,  the  public 
cyber  security  control  cannot  function  optimally.  In  result,  if  cyber  security 
is  provided  in  the  mode  of  public  good,  it  is  impossible  to  be  more 
beneficial  than  as  a  private  good. 


Kobayashi  notes  that  cybersecurity  is  different  from  traditional 
security  (Kobayashi  2005).  To  discourage  crime  ex  ante  in  the  general 
criminal  context， the  government  could  implement  sufficient  level  of 
punishment  to  deter  the  crime  from  accruing.  In  the  case  of  cybercrime, 
the  likelihood  of  detecting  is  so  low  that  the  penalty  imposed  would  have 
to  be  of  considerable  magnitude  to  deter  cybercrime.  In  what  follows,  the 
author  will  explore  the  possibility  of  establishing  liability  for  the  different 
participants  in  the  process  of  cybersecurity  provision. 


Public  Provision  of  Cybersecurity:  Liability  Mechanisms 


35 


Even  if  it  were  technically  feasible  to  keep  all  systems  100%  secure,  the 
costs  would  have  been  so  prohibitive  as  to  render  such  an  approach  an 
economic  prescription  for  disaster.  The  government  can  neither  provide 
cyber  security  nor  manipulate  the  systems.  Naturally,  one  of  the  Ernst  & 
Young  survey’s  key  findings  was  that  only  11%  deemed  government 
security- driven  regulations  as  being  highly  effective  in  improving  their 
information  security  posture  or  in  reducing  data  protection  risks  (Earnest 
&  Young  2004).  However,  any  argument  stating  that  the  governments  can 
play  no  role  in  the  field  of  cybersecurity  is  over  skeptical.  The  governments 
can  play  a  necessary  role  in  deterring  the  attackers,  but  they  are  by  no 
means  helpless  in  the  maintenance  of  an  adequate  level  of  cybersecurity. 
Their  roles  are  to  impose  penalty  through  legislation  and  deter  crime  by 
means  of  ex  post  law  enforcement.  Providing  cybersecurity  as  a  public 
good  is  confronted  with  greater  difficulties  in  international  cooperation 
than  as  a  private  good.  Even  if  some  countries  can  convince  their 
taxpayers  to  pay  for  the  expenses  involved  in  the  public  provision  of 
cybersecurity,  if  you  cannot  simultaneously  convince  all  countries  to  do  so, 
it  will  not  be  cost-efficient.  In  this  section,  the  author  will  analyze  the 
characteristics  of  the  possible  liability  of  various  players  in  the  field  of 
cybersecurity. 


Liability  of  Hackers 


Ballon  argues  that  the  major  benefits  of  holding  the  hacker  liable  for  the 
damage  he  causes  is  that  the  target  has  more  choices  and  control  in 
applying  the  law  against  hackers  (Ballon  1997).  Compared  to  a  criminal 
action,  the  liability  of  hackers  can  be  justified  by  that  it  grants  the 
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plaintiff  “greater  control  over  the  litigation  and  potentially  better  long¬ 
term  relief;’’  that  it  encourages  attack  reporting  (Gripman  1997);  and  that 
a  target  will  have  the  motive  to  recover  losses  at  the  same  time  of 
punishing  the  perpetrator  (Hatcher,  McDannel  and  Ostfeld  1999). 

The  disadvantage  of  tort  liability  of  hackers  lies  in  two  aspects:  on 
one  hand,  the  plaintiff  has  to  pay  a  significant  amount  of  money  before 
receiving  any  compensation;  on  the  other  hand， most  hackers  have  had 
and  will  have  greater  incentives  to  be  judgment-proof  (Brooke  2000).  If  a 
hacker  has  little  to  lose  under  tort  liability  mechanism,  his  most  rational 
choice  will  be  to  hide  more  secretly  himself  and  his  assets  (Calkins  2000). 
In  the  networked  world,  tracking  a  hacker  or  finding  his  money  will  need 
more  energy,  time,  and  costs,  and  will  even  prove  to  be  an  impossible  task. 
As  a  result,  the  hacker  would  carry  out  the  act  more  judgment-proof.  Even 
worse,  the  hacker  might  be  forced  by  the  civil  actions  to  commit  other 
money-harvesting  offences  to  support  his  actions. 

Currently,  dozens  of  countries  have  enacted  domestic  law  against 
cybercrime.  In  addition,  there  have  also  been  successful  international  legal 
actions,  such  as  the  Convention  on  Cybercrime  (2001)  and  other  domestic 
provisions.  Although  the  legislation  is  already  there,  the  practical  effects 
are  doubtful.  There  are  many  hackers  but  the  detection  probability  is  quite 
low  and  the  application  of  legislation  is  rare. 

Liability  of  Internet  Service  Providers 

Internet  Service  Providers  (ISP)’s  tort  liability  plays  an  important  role  in 
the  following  two  cases:  first,  a  lower  level  of  ISP’s  security  standard 
might  be  exploited  by  hackers;  and  second， the  ISP’s  vicarious  liability  for 
its  employee’s  security  breach  makes  it  easier  to  recover  the  target’s  losses 
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(Icove， Seger， and  VonStorch  1995,  p.  427).  To  justify  the  first  aspect,  an 
important  economic  consideration  is  that  the  ISP’s  cost  to  improve  its 
security  level  is  lower  compared  to  the  hackers’  high  potential  cost  to 
society,  and  with  the  security  standard  the  security  condition  becomes 
more  certain  and  reliable  (Icove， Seger,  and  VonStorch  1995).  This  would 
be  expected  to  lower  the  overall  cost  of  the  Internet  service,  provide 
incentive  for  Internet  participation,  and  increase  the  value  of  the  network 
to  society  (Goodman  1997).  There  is  no  theoretical  obstacle  in  applying  the 
tort  liability  to  cyber  security  breaches. 

The  only  problems  in  applying  tort  liability  to  all  ISPs  is  that  there  is 
no  uniform  standard;  that  it  would  be  difficult  to  provide  such  a  standard; 
and  that  dual  or  multiple  standard  would  surely  motivate  some  ISPs  to 
maintain  a  lower  level  of  security  due  to  economic  reasons.  The  result  of 
this  dilemma  will  be  that  no  deterrence  functions  on  hackers. 


Liability  of  Security  Problems  Publishers 


The  security  (holes)  publisher  has  two  aspects  of  gain  from  the  publication, 
one  is  that  the  publication  can  prevent  some  harm  suffered  by  the  general 
public,  the  other  is  that  the  publication  realises  more  economic  or  other 
benefits.  However,  it  takes  great  risk  resulting  in  users’  losses  in  case 
hackers  exploit  the  publicized  loopholes.  In  addition,  the  users  have  to 
invest  in  improving  their  security  protection  when  they  know  the  new 
publicized  loopholes. 

According  to  Coarse’s  general  principle  (Coase  1960)， whether  the 
publisher  should  be  held  liable  for  his  publication  is  a  question  of  whether 
the  gain  of  both  the  general  public  users  from  stopping  the  potential  harm 
and  the  publisher  himself  from  obtaining  a  higher  confidence  value  is 
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greater  than  the  losses  that  the  users  suffer  from  the  attacks  launched 
exploiting  the  publicized  loopholes  and  from  the  extra  investment  in 
preventing  such  attacks.  In  different  cases,  the  cost  effectiveness  is 
different,  and  is  hard  to  prove.  Finally,  as  Preston  and  Lefton  put  it: 

The  question  is  not  whether  an  individual  publication  causes  more 
harm  than  good;  it  is  whether  a  particular  rule  of  liability  governing 
computer  security  publications  causes  more  harm  than  good  (Preston,  and 
Lofton  2002,  p.  130). 

Liability  of  Security  Providers 


The  rapid  growth  of  the  computer  security  industry  leads  people  to 
consider  whether  security  providers  should  be  held  liable  when  their 
products  and  services  fail  to  protect  against  hackers.  Developing  higher 
security  level  of  products  and  providing  high  security  level  of  services  are 
costly,  but  work  to  prevent  hacking  from  taking  place. 

Security  providers’  liability  will  create  incentives  for  them  to  provide 
products  or  services  of  at  least  a  standard  level.  The  products  and  services 
containing  security  holes  take  great  risks  of  product  liability  if  their 
advertisements  stated  that  they  are  “hack-proof’  (Drummond  and 
McClendon). 

The  problem  with  holding  security  providers  liable  is  that  goods  and 
services  are  usually  provided  subject  to  contract  or  licensing  agreements, 
making  tort  liability  inappropriate  because  the  parties  have  bargained  to 
allocate  the  risk  between  them  (Perle,  Fischer,  and  Williams  2000). 

The  reasonable  way  in  which  the  agreements  are  concluded  is  that 
neither  of  the  two  parties  wants  to  bear  more  risk.  But  in  general,  the 
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party  of  product  or  service  users  might  have  the  greater  discretion  in 
choosing  with  more  guarantees  and  less  expenses.  The  security  providers 


will  be  generally  worse-off. 


Liability  of  Software  Vendors 


Most  of  the  security  holes  come  from  the  bad  design  of  software  (and 
sometimes  hardware).  The  software  vendors  control  the  only  key  to  solve 
this  problem  through  fixing  their  software.  However,  this  work  also 
consumes  human  resources  and  investments  in  terms  of  money.  Therefore, 
vendors  generally  do  not  have  the  incentive  to  do  so.  A  way  to  incorporate 
their  better  work  into  their  best  interests  is  to  raise  the  risk  of  liability, 
which  will  raise  the  cost  of  their  products.  If  software  vendors  have 
liability  costs,  they  will  pass  those  on  to  users.  In  turn,  the  vendors  might 
as  well  pay  to  fix  the  problems. 


Liability  of  Software  Authors 


Since  the  authors  of  software  (the  programmers)  have  the  biggest 
opportunity  to  prevent  problems， it  seems  appropriate  to  focus  on  making 
them  responsible  for  the  security  of  their  products  (Fisk  2002). 
Nonetheless,  there  are  some  unique  aspects  of  computer  software  that 
make  it  challenging  to  apply  traditional  notions  of  product  liability. 

Under  such  circumstances,  if  we  impose  liability  on  the  authors,  it  is 
impossible,  because  the  author  gets  no  income  to  pay  the  compensation;  it 
is  inefficient， because  the  author  would  be  discouraged  from  contributing; 
and  it  is  also  unfair,  because  the  users  use  the  software  for  free  and 
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voluntarily. 


Liability  of  System  Owners 


Systems  can  be  both  targets  and  tools  in  attacks.  For  example  in  a 
Distributed  Denial  of  Service  attack， the  attacks  are  launched  from 
numerous  manipulated  computers.  The  owners  of  such  systems,  who  use 
software  written  and  sold  by  third  parties,  cannot  fully  secure  their 
systems,  cannot  stop  unforeseeable  outsiders’  exploitation,  and  have  no 
way  to  reduce  the  risks.  In  order  to  hold  the  system  owners  liable， two 
prerequisites  are  necessary  to  be  in  place:  the  establishment  of  a  security 
standard,  and  the  mechanism  of  insurance.  The  latter  was  discussed  by 
Fisk  in  analogy  to  vehicle  operators  who  are  often  legally  required  to  carry 
insurance  against  accidents  (Fisk  2002). 


Conclusion 


This  Chapter  argues  that  cybersecurity  is  a  private  good  and  should  be 
provided  mainly  by  the  private  sector.  Regarding  cybersecurity  as  a  public 
good  would  discourage  the  private  sector  to  invest  in  security  provision. 
From  this  standpoint,  an  early  government  intervention  would  reduce  the 
effectiveness  and  efficiency  of  cybersecurity. 

However,  in  terms  of  prevention  of  security  breaches,  law 
enforcement  can  play  an  important  role  in  establishing  and  enforcing 
liability  mechanisms.  Although  it  is  still  controversial  whether  and  how 
cyber  security  players  should  be  held  liable  for  their  activities,  every  step 
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made  in  this  direction  will  bring  benefits  to  the  private  sector  to  achieve 
their  goals. 
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CHAPTER  III  IMPACT  OF  ANONYMITY  ON 
CYBERSECURITY 


Introduction 


The  pervasion  of  information  systems  facilitates  efficient  access  to 
information.  While  privacy  is  at  high  risk,  anonymity,  invisibility,  and 
concealment  of  criminal  traces  become  issues  of  broad  concerns.  The 
anonymity  of  cyberspace  makes  identity  tracing  a  noteworthy  predicament 
which  poses  obstacles  in  detection  and  investigations.  This  Chapter  deals 
with  the  formation  and  problem  of  anonymity  in  cyberspace  in  general， 
and  anonymity  of  cybercriminals  in  particular.  It  has  been  found  that 
cyber  anonymity  has  critical  impacts  on  criminal  motivation,  and  the 
phenomena  of  victimization,  and  should  be  tackled  on  different  layers 
including  technology  and  law  enforcement. 


Following  this  section,  the  Chapter  will  explore  how  the  anonymity 
symbolizes  the  cyberspace,  what  threats  are  posed  by  cyber  anonymity 
against  social  order,  how  the  anonymity  protects  cybercriminals,  how  the 
trans-territorial  anonymity  was  facilitated,  and  the  real  impact  of 
anonymity  on  law  and  order  in  the  information  society. 
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Wrestling  between  Cyber  Anonymity  and  Law  and  Order 


Information  systems  have  been  increasingly  critical  in  facilitating 
efficient  access  to  information.  Today,  approximately  3  billion  users,  or 
42%  of  the  world  population  (Internet  World  Stats  2014)  entered  a  new 
space  networked  by  instant  transfer  of  information.  With  much  more 
information  being  accumulated,  consumption  of  information  becomes  a 
double-edged  process.  While  there  is  superfluous  spam  information, 
privacy  is  at  high  risk.  Although  people  have  appreciated  the  value  and 
significance  of  cyber  anonymity,  negative  concerns  also  emerge  in 
anonymity,  invisibility,  and  concealment  of  criminal  traces.  Cybercrime 
differs  from  traditional  crimes  in  many  different  ways,  including  its 
universality  and  complexities,  in  particular,  its  anonymity,  concealment, 
and  invisibilities.  The  anonymity  of  cyberspace  makes  identity  tracing  a 
noteworthy  predicament  which  poses  obstacles  in  detection  and 
investigations. 

For  example,  in  the  case  of  spam,  the  e-mail  can  be  both  the 
instrument  and  the  objective  that  are  used  in  commercial,  political, 
malicious,  or  illegal  schemes.  As  a  marketing  and  communications  means, 
e-mail  has  been  gradually  abused.  Unsolicited  commercial  mails  (UCE) 
are  typically  sent  anonymously  or  with  a  fabricated  identity,  and  the 
recipients  cannot  discontinue  successive  messages.  Messages  of  this  kind 
furthermore  consist  of  false  or  misleading  headers,  deceiving  recipients  to 
retrieve  messages  that  they  do  not  desire.  Moreover,  the  recipients  have 
no  technique  of  expressing  their  inclination  not  to  receive  such  messages, 
and  have  no  approach  of  requesting  compensation  even  if  they  undergo 
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loss.  The  abuse  of  e-mail  has  turned  into  a  public  annoyance  in  the  online 
background.  Even  if  the  application  of  anti-spam  services  and 
technologies  is  escalating,  the  degree  of  spam  is  continuing  to  boost  as 
swift  (OECD  2004,  pp.  2-3;  OECD  2005,  p.  6),  becoming  a  predicament  not 
only  for  individual  e-mail  accounts,  but  also  for  business  accounts. 

Another  example  is  cyber  terrorism.  Despite  the  fact  that  cyber 
terrorism  has  not  developed  into  a  reality  as  lots  of  people  worried  at  the 
end  of  20th  century,  it  becomes  a  gorgeous  preference  for  modern-day 
terrorists  for  a  number  of  reasons  (Weimann  2004,  p.  6).  It  is  cheaper, 
more  anonymous,  aiming  at  a  more  massive  target  and  number  of  targets, 
distantly  conducted,  and  affecting  a  larger  number  of  people  globally. 
International  society  has  barely  implemented  any  countermeasures 
against  conventional  terrorism  in  the  last  few  years.  Weimann  claimed 
that  terrorism  in  cyberspace  was  more  anonymous  than  conventional 
terrorist  schemes.  The  fact  that  terrorists  could  exploit  “screen  names”  or 
log  on  as  a  “guest  user”  makes  it  very  difficult  for  security  agencies  and 
police  forces  to  track  down  their  real  identity.  What  made  it  worse  were 
that  in  cyberspace  there  were  no  physical  barriers  such  as  checkpoints  to 
navigate,  no  borders  to  cross,  and  no  customs  agents  to  outsmart  (ibid.,  p. 
6)， making  terrorists  specially  unidentified. 

Maybe  the  most  real  threats  and  the  most  serious  worries  come  from 
offences  such  as  harassment  and  murder.  In  offences  where  information 
systems  are  used  as  means  of  committing  verbal  assault,  threat, 
harassment,  alarming,  spam  and  fraud,  the  motivation  of  the  perpetrator 
is  to  harass  and  to  kill  the  victim.  The  function  of  the  Internet  as  a  means 
of  communications  and  with  a  high  anonymity  of  interaction  often  entraps 
the  victims  into  unforeseeable  dangers.  In  2005， China  Ministry  of  Public 
Security  investigated  1,000  assassination  cases， in  many  of  which  the 
criminals  found  the  potential  victims  through  the  Internet  (Yi  2006).  In 
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many  criminal  cases,  stalkers  and  murderers  find,  follow,  entice,  and 
intimidate  victims  through  the  communication  and  interaction  of  various 
Internet  services,  usually  anonymously. 

On  the  other  hand,  concerning  the  legal  status  of  cyber  anonymity, 
people  have  long  been  disputing  in  vain.  Conventional  countermeasures 
and  theories  about  crime  prevention  were  based  on  its  material  influence 
and  on  the  material  environment,  although  non- material  factors  have 
long  existed,  too.  Activities  in  information  systems  can  be  expressed  in  a 
physically  invisible  form.  What  are  physically  visible  in  information 
systems  are  those  physical  existences,  such  as  hosts  and  terminals, 
displayers,  keyboards,  mouse,  and  cables,  while  the  mechanisms  by  which 
the  computers  function  are  invisible.  Cyberspace  is  developed  from 
information  systems  as  an  abstract  space,  differing  from  the  material 
devices  of  information  systems  that  include  terminals  and  cables.  It  is 
invisible  and  intangible  if  compared  with  traditional  space  (Khosrow-Pour 
1998,  p.  440;  Robertson  2000， p.  248;  Dodge  and  Kitchin  2001， p.  81). 
When  a  web  page  is  surfed,  what  can  be  seen  is  only  the  display  of 
information  on  the  screen.  The  web  site  is  not  physically  a  reading  room 
where  people  can  read  magazines,  newspapers  and  books,  listen  to  audio 
records  or  watch  videos,  nor  a  marketplace,  bank,  street,  or  forum.  It  is 
merely  a  collection  of  web  pages  written  in  various  mark-up  languages, 
comprised  of  letters,  numbers,  and  symbols  in  common  use,  but  which 
facilitate  the  functions  of  linkage  to  other  media,  communicating  with 
other  people  or  directing  to  other  services.  The  electronic  address  is  not 
necessarily  located  along  a  street,  in  a  building  or  even  in  a  city,  province, 
or  country.  In  addition， the  online  services  are  usually  provided  in  the 
manner  of  a  remote  transaction  paid  by  means  of  digital  cash  or  virtual 
money.  Finally,  the  Internet  users  include  individuals  and  institutions, 
but  they  do  not  necessarily  appear  in  person  or  in  an  entity  in  a 
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traditional  library,  forum,  marketplace,  bank,  or  along  a  street.  It  is 
entirely  an  invisible  community  in  an  invisible  space —— a  group  of 
anonymous  netizens  interact  behind  curtains  or  masks. 

The  invisibility  of  cyberspace  worsens  the  situation  caused  by  cyber 
anonymity,  in  the  sense  that  criminals  and  offences  in  cyberspace  become 
more  concealed,  while  criminal  justice  faces  greater  difficulties. 


Anonymity  Symbolizes  Cyberspace 


The  disappearance  of  physicality  in  activities  on  the  Internet  symbolizes 
the  new  way  for  daily  routines,  and  presents  a  chance  for  new  practice 
and  changes  in  faiths,  positions,  and  manners  (Zigrus  2001， p.  171).  To  a 
certain  extent,  Internet  services  are  provided  for  every  user  who  owns  a 
computer  and  a  modem  or  cable  linked  to  the  server.  The  real  identity  of 
the  user  is  not  necessary  for  using  the  Internet.  That  is  to  say,  a  high 
degree  of  anonymity  is  achievable.  Anonymity  could  indicate  an  intention 
to  lie  or  not,  to  do  something  deceit  or  not.  In  the  environment  of  online 
communications,  particularly  during  interaction  between  remote 
strangers,  information  systems  provide  the  possibility  of  maintaining 
anonymity,  and  we  found  that  the  users  of  information  systems  have  the 
willingness  to  stay  passively  anonymous,  not  necessarily  actively  lying  to 
their  counterparts. 

In  the  case  of  e-mail,  it  is  uncomplicated  to  register  an  e-mail  account 
with  false  information,  or  to  send  messages  in  the  name  of  a  certain 
person.  These  e-mails  may  not  only  infringe  the  legal  rights  and  interests 
of  the  person  of  the  counterfeited  identity,  but  also  are  able  to  fabricate  a 
rumour,  slander  other  people,  harm  other  people’s  reputation,  or  practise 
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unfair  competition  to  reduce  the  competitor’s  trustworthiness.  No 
obligation  of  free  e-mail  service  providers  has  been  established  to 
investigate  the  registrants’  identity  information.  In  addition,  some  web 
sites  also  provide  anonymous  e-mail  services  or  sell  anonymous  e-mail 
software  (Examples  of  such  services  and  software  can  be  searched  out 
with  search  engines).  Under  such  circumstances,  the  traceback  of  the  real 
sender  is  impossible.  Only  where  the  providers’  status  is  clear,  under 
vicarious  liability,  can  it  be  useful  for  law  enforcement  in  some 
jurisdictions  to  hold  the  re-publisher  responsible  for  the  content  of  the 
original  author  (Edwards  and  Walde， eds.  1997,  Part  4). 

E-mail  has  frequently  been  abused  in  an  anonymous  manner  so  as  to 
realize  a  fraudulent  scheme.  This  anonymity  not  only  facilitates  a  lie,  but 
may  also  support  a  fraud.  In  R.  v.  Mastronardi  (2006  BCSC  1681),  the 
accused,  met  the  plaintiffs  through  an  Internet  dating  service,  during 
which  the  accused  misrepresented  himself  as  a  single  person  and  engaged 
in  relationship  with  several  victims.  He  represented  himself  as: 

“(a)  coming  from  a  large,  powerful  and  wealthy  Sicilian  family; 

(b)  being  a  widower  seeking  a  wife; 

(c)  being  a  medical  doctor  with  a  specialty  in  gynaecology; 

(d)  having  hospital  privileges  and  a  clinic; 

(e)  being  a  kind,  caring  and  considerate  person  with  positive  family 
and  moral  beliefs,  conveyed  in  conversations  that  went  on  for  hours  on 
end; 

(f)  having  elaborate  and  sometimes  bizarre  family  and  cultural 
traditions  requiring  highly  submissive  wives  and  amalgamation  of 
finances  to  an  account  controlled  by  him; 

(g)  as  time  went  on,  being  third  in  command  in  mafia  like  family 
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organization; 


(h)  not  wanting  to  date,  but  wanting  to  immediately  enter  into  an 
intimate  relationship,  after  which  his  culture  and  family  regarded  them 
as  married; 

(i)  once  so  married,  his  family  required  him  to  follow  family  and 
cultural  traditions.”  (paragraph  4) 

In  R.  v.  Farkas,  the  accused  engaged  in  online  fraud  by  using 
different  e-mail  addresses,  mailing  addresses,  and  user  names, 
victimizing  sellers  and  purchasers  distributed  in  the  U.  S”  Canada,  and 
England  (2006  ONCJ  121， 10  April  2006).  In  R.  v.  Reynolds  &  Ors， the 
accused  engaged  in  online  chat  claiming  himself  to  be  a  16-year-old  boy, 
attempting  to  make  young  girls  expose  their  bodies  and  transmit 
photographs  to  him  over  the  Internet  ([2007]  EWCA  Crim  538  (08  March 
2007)). 

There  are  many  ways  by  which  people  make  efforts  to  detect  lies, 
usually  including  various  clues  to  emotion  that  may  disclose  the  situation 
of  lying  (Ekman  1992， as  cited  in  Howitt  2002， pp.  251-253).  However,  in 
the  electronic  lie， none  of  the  clues  can  be  useful,  particularly  those 
emotional  ones,  because  there  is  no  face-to-face  interaction.  Rather,  the 
interaction  itself  is  covered  by  a  human-machine-human  fig  leaf. 

Another  field  where  people  usually  maintain  anonymity  is  interaction 
in  chat  rooms.  Accounting  for  a  considerable  fraction  of  the  income  of  the 
commercial  online  providers,  chat  systems  support  synchronous 
communication,  discussion  on  different  topics,  trans-territorial 
relationships  on  common  interests,  and  ignorance  of  social  status 
(Internet  Crime  Forum  IRC  subgroup  2001， pp.  7-9;  Rowland  1998; 
Wilbur  1997,  p.  5.).  The  biggest  advantage  of  the  interaction  in  chat  rooms 
is  that  the  user  can  keep  anonymous  at  the  beginning  of  the  chat  or 
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remain  anonymous  during  the  whole  process.  Keeping  anonymous  means 
that  people  are  able  to  fabricate  identities  that  cannot  be  used  to  identify 
them.  By  disguising  themselves,  users  can  perpetrate  fraud  and  many 
other  related  activities.  This  approach  is  definitely  useful,  too， in 
detection  and  investigation  of  crimes,  where  law  enforcement  uses 
falsified  identity  to  allure  and  arrest  suspects.  For  example,  in  United 
States  v.  Helder,  (Eighth  Circuit,  No.  05-3387， 16  March  2006)， an 
undercover  officer  used  a  screen  name  and  claimed  to  be  a  14-year-old  girl 
to  entrap  the  perpetrator  (pp.  2-4);  in  United  States  v.  Baker  (Seventh 
Circuit,  No.  05-2499,  24  January  2006)， an  undercover  officer  used  a 
screen  name  and  claimed  to  be  a  14-year-old  boy  to  entrap  the  perpetrator 
(pp.  2-3);  in  United  States  v.  Antelope  (Ninth  Circuit  No.  03-30557,  8  June, 
2004.  Docket  num.  03-30334， January  2005)， the  accused  joined  an 
Internet  site  advertising  ”  Preteen  Nude  Sex  Pics’’  and  started 
corresponding  with  an  undercover  law-enforcement  agent,  in  respect  of 
whom  the  accused  was  entrapped  when  he  ordered  a  child  pornography 
video  over  the  Internet;  in  United  States  v.  McGraw  (Tenth  Circuit  No. 
02-1407,  D.  C.  No.  01-CR-426-B,  2  December  2003)， the  accused  was  also 
caught  by  an  undercover  agent,  with  whom  he  expressed  his  interests  in 
“having  sexual  contact  with  'white  males  between  the  ages  of  12  and  15’，’’ 
and  arranged  a  encounter  (See  also  R.  v.  Randall， Provincial  Court  of 
Nova  Scotia  2006  NSPC  19,  No.  1538177， 28  April  2006).  The  actual 
reality  is  that,  in  information  systems,  determining  users’  identity  proves 
difficult,  but  not  impossible. 


Potentiality  of  Anonymity 
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Communicating  anonymously  is  a  great  characteristic  of  the  Internet 
environment.  In  using  the  Internet,  anonymity  can  be  kept  from  the 
beginning  to  the  end.  First,  anonymous  access  to  the  Internet  poses  the 
most  serious  threat.  In  many  countries,  one  of  the  most  important  forms 
of  using  the  Internet  is  realized  through  cyber  cafes  or  libraries,  where 
anonymous  users  can  access  many  of  the  online  services.  Definitely,  there 
exist  different  situations  in  different  countries.  Compared  with  Finland 
where  there  are  few  cyber  cafes  in  towns  and  cities,  the  cyber  cafes  in 
China  have  become  the  “third  space”  of  school-aged  juveniles  besides 
home  and  school.  The  facilities  and  services  in  academic  or  public  libraries 
are  far  less  convenient  for  users  than  those  in  cyber  cafes  managed  by 
private  firms.  An  increasing  number  of  hacking  cases  involving  the 
Internet  or  Internet  users  are  committed  or  conspired  in  cyber  cafes. 

Secondly,  anonymous  subscription  to  the  Internet  services  raises  the 
difficulty  of  identifying  users.  The  personal  information  provided  for  the 
registration  of  an  e-mail  account,  the  name  and  address  of  e-mail 
messages,  and  the  authors’  information  in  Usenet,  etc.,  can  all  be 
fabricated.  Keeping  identity  anonymous  is  favourable  for  the  protection  of 
users  from  victimization,  but  it  also  favours  the  hiding  of  perpetrators 
from  being  traced. 

Thirdly,  users  can  keep  their  identity  anonymous  in  the  process  of 
online  communications.  There  are  also  mechanisms  for  keeping  complete 
anonymity  by  which  one  user  can  send  messages  to  other  users,  and  then 
the  messages  are  transmitted  to  the  final  target,  such  as  newsgroup,  e- 
mail  list,  or  a  single  e-mail  account.  What  makes  it  more  complex  is  that 
in  the  mechanisms  the  intermediary  can  only  be  a  programme  and  may  be 
in  another  jurisdiction  (Kingdon  1994).  This  also  reminds  us  that  there 
exists  the  possibility  of  numerous  transmitting  points,  by  which  messages 
are  transmitted  from  one  terminal  to  the  next  terminal,  from  that  to  the 
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next  in  line， and  so  on， until  the  message  reached  the  destination. 

Tracing  this  transmitting  process  is  theoretically  possible.  During  the 
tracing  process,  the  investigation  is  exactly  the  contrary  to  the  process  of 
transmission.  Each  time， the  investigator  can  trace  back  one  point. 

It  is  likely  that  all  points  are  identifiable.  Nevertheless,  as  long  as 
there  is  an  unexpected  element  at  any  point,  the  tracing  chain  can  be 
disrupted  without  reaching  the  original  source.  According  to  National 
Police  Agency  of  Japan  (1998)， the  possible  examples  include  that  the 
victim  has  no  record  of  the  Internet  Protocol  (IP)  address;  ISPs  do  not 
keep  suitable  records;  hackers  alter  the  logs;  or  some  points  are  located  in 
countries  that  have  not  criminalized  hacking.  As  Koch  (lnter@ctive  Week, 
10  July  2000)  has  pointed  out,  theories  about  detection  remain  theories, 
and  they  are  too  new  to  be  tested  in  practice.  Even  if  all  the  work  of 
traceback  is  fulfilled,  the  actual  value  of  this  work  may  be  discounted  in  a 
judicial  process  because  of  different  locations  and  thus  diversified 
jurisdictions. 

Fourthly,  the  specific  service  or  software  can  play  further  roles  in 
hiding  users.  Cybercriminals  usually  establish  anonymizers,  which  are 
systems  particularly  designed  to  invalidate  technical  identification  of  the 
source  of  communications  (See  Belgium’s  answer  to  the  “Questionnaire 
5:  Have  you  received  any  reports  from  your  law-enforcement  authorities 
that  have  indicated  an  obstruction  of  their  work  due  to  the  non-existence 
of  appropriate  legal  instruments  concerning  traffic  data  retention?”  in 
Council  of  the  European  Union， Council  doc.  11490/1/02  CRIMORG  67 
TELECOM  4  REV  1， Brussels,  20  November  2002).  In  fact， this  kind  of 
service  or  software  can  also  be  conveniently  obtained  free  of  charge  or  at 
an  inexpensive  price  from  the  Internet.  Everyone  who  is  online  can  get 
access  to  these  tools  and  services.  Such  software  is  likely  to  be  replicated 
and  spread  unlimitedly,  creating  a  bigger  population  of  hidden  users  who 
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potentially  threaten  the  security  of  information  systems. 

Although  the  anonymity  of  cybercriminals  poses  a  series  of  questions, 
it  is  still  the  core  of  the  “perfect  environment”  for  the  criminals.  Levinson 
(2002,  p.  455)  said  that  anonymity  is  exploited  by  perpetrators  of  old 
crimes  such  as  fraud,  pornography,  gambling,  stalking  and  identity  theft, 
or  new  crimes  such  as  unauthorized  access,  denial  of  service,  and 
malicious  programmes.  Yet  it  is  at  the  same  time  welcomed  by  Internet 
users.  People  are  constantly  concerned  that  without  online  anonymity,  it 
could  be  impossible  to  guarantee  fundamental  rights  (COM(2000)  890 
final,  p.  20;  National  Police  Agency  of  Japan  1998).  It  is  not  strange  that 
the  European  Union  Data  Protection  Working  Paiiy’s  Recommendation 
recognized  that  online  anonymity  brings  about  a  dilemma  for 
governments  and  international  organizations  (The  Article  29  Data 
Protection  Working  Party  2001):  in  particular,  in  maintaining  human 
rights  to  privacy  and  freedom  of  expression,  and  combating  cybercrimes 
(COM(2000)  890  final,  p.  20).  Philip  (2002)  warned  that  anonymity  can 
provide  users  with  “the  courage  to  do  the  outrageous  and  sometimes  even 
resort  to  illegal  activities.” 

Mitchell  and  Banker  (1997， pp.  707-711)  have  concluded  that  there 
are  four  characteristics  in  which  cybercrimes  are  different  from 
traditional  crimes,  that  is  to  say,  difficulties  in  detection,  limited 
reporting,  jurisdictional  complexities,  and  resource  constraint.  All  these 
four  aspects  fall  under  the  broad  characteristic  of  concealment.  The 
concealment  of  cybercrimes  has  been  brought  about  by  other  technological 
and  human  factors  (Conly  1991;  Clark  1996;  Stephenson  2000;  Mandia 
and  Prosises  2003;  Mohay  and  co-workers  2003;  Vacca  2005;  Johnson 
2006). 

Most  of  traditional  offences  are  greatly  observable  due  to  apparent 
depredations,  presence  of  witnesses,  and  so  on.  There  are  also  traditional 
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crimes  that  occur  in  private  places  and  become  less  visible  (Walsh  1983,  p. 
236).  Unlike  traditional  threats  where  criminals  are  physically  present  at 
the  crime  scene,  cyb er criminal s  are  usually  not  present  at  the  crime  scene 
thus  making  apprehension  difficult  (Speer  2000， p.  260).  In  information 
systems， executing  a  command  to  delete  files  does  not  mean  that  the  files 
are  permanently  deleted.  What  happens  is  merely  that  files  are  hidden 
due  to  a  change  in  file  names  so  that  the  files  can  be  recovered.  In  United 
States  v.  Angevine  (Tenth  Circuit  No.  01-6097,  D.  C.  No.  00-CR-106-M,  22 
February  2002)， ’’the  computer  expert  used  special  technology  to  retrieve 
the  data  that  had  remained  latent  in  the  computer’s  memory,”  though  the 
accused  had  attempted  to  delete  the  relevant  files.  In  United  States  v. 
Upham  (First  Circuit  No.  98-1121， 12  February  1999)， the  investigator 
used  the  “undelete”  function  of  a  programme  to  recover  deleted  files  from 
the  deposit  media， as  primary  evidence  in  conviction.  In  Robertson  v.  Her 
Majesty’s  Advocate  ([2004]  ScotHC  11  (17  February  2004)),  the  police 
recovered  347  deleted  images  from  the  unallocated  space,  and  878  images 
and  45  movies  from  deleted  zip  file  within  the  disc.  Only  when  a  secure- 
eraser  programme  is  in  use,  the  files  are  permanently  deleted.  For 
example,  in  the  case  of  International  Airport  Centres,  L.  L.  C.?  et  al  v. 
Jacob  Citrin  (Seventh  Circuit  No.  05-1522,  24  October  2005)  (p.  2).  Skilful 
criminals  can  disable  this  kind  of  security  mechanism,  and  conceal  the 
data  that  might  possible  be  taken  as  evidence  in  prosecution. 

Technological  advances  have  both  a  positive  impact  on  businesses 
and  a  negative  impact  on  law  enforcement  (Institute  for  Security 
Technology  Studies  2002).  For  example,  in  the  DrinkOrDie  case,  the 
online  software  piracy  group  concealed  its  actions  by  various  security 
measures:  exchanging  e-mails  via  private  mail  server  using  encryption; 
using  a  nickname  to  identify  members,  and  communicating  about  group 
business  only  in  closed,  invite -only  IRC  channels;  the  FTP  sites,  where 
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tens  of  thousands  of  pirated  software,  game， movie,  and  music  titles  were 
deposited,  were  secured  by  particular  authentication  mechanisms  (U.  S. 
Department  of  Justice,  Press  release,  17  May  2002).  On  the  other  hand, 
the  available  technological  solutions  have  not  completely  met  the 
requirement  of  data  collection,  log  analysis,  and  Internet  protocol  tracing 
(American  Society  for  Industrial  Security  2004， p.  40).  There  is  also  the 
necessity  for  law-enforcement  agencies  to  recruit  personnel  with 
“electrical  engineering  and  computer-science  backgrounds”  (Fields  2004,  p. 
Bl); 

Inevitably,  critics  point  out  that  cyber  police  have  extra  incentives 
than  combating  cybercrime,  for  example,  asking  for  more  money,  more 
wiretap,  bugs  in  computers  and  sell  phones,  weak  encryption  and 
permission  to  implement  security  technology,  without  more  arrest 
following  (Koch  Inter@ctive  Week,  10  July  2000). 

Concealment  of  crimes  has  important  economic  effects.  Stanley  (1995, 
p.  2)  stated  that  concealment  of  crime  can  decrease  the  incentives  not  to 
perpetrate,  and  increase  the  costs  of  law  enforcement.  Concealment  of 
cybercrime  demonstrates  the  low  probability  of  punishment.  In  the  U.  S” 
only  one  in  100  cases  was  detected， one  in  8  prosecuted,  while  only  one  in 
33  prosecuted  cybercrimes  resulted  in  a  prison  sentence.  That  is  to  say, 
the  likelihood  that  a  cybercriminal  would  be  put  into  prison  was  a  one  in 
26,400  chance  (Daler  and  co-workers  1989， p.  22)， as  compared  with  the 
likelihood  of  imprisonment  in  traditional  bank  robbery  a  one  in  three 
chance  (ibid.).  Law-enforcement  agencies  found  that  a  majority  of 
cybercrimes  never  reached  the  criminal-justice  system.  Even  in  the 
relatively  few  cases  where  a  crime  was  reported,  most  often  the  criminal’s 
identity  was  never  discovered.  As  a  consequence,  as  Radzinowicz  and 
King  (1977,  p.  67)  pointed  out， “The  calculation  of  chance  is  as  applicable 
to  the  commission  of  crime  as  to  many  other  activities.”  Given  other 
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factors  constant,  if  cybercrime  is  more  concealed  than  other  offences,  the 
potential  perpetrators  are  more  motivated  to  take  illegal  actions  on  the 
Internet,  and  thus  more  offenders  of  traditional  crime  will  be  prepared  to 
migrate  to  cyberspace. 


Trans-territorial  Anonymity 


Free  flow  of  information  from  one  state  to  another  is  a  purpose  of 
information  systems  (Directive  95/46/EC,  Preamble  (3);  UN  A/RES/51/162; 
Council  of  Europe  Convention  for  the  Protection  of  Individuals  with 
Regard  to  Automatic  Processing  of  Personal  Data,  Article  12)， but  trans- 
border  flow  is  not  free  (The  Convention  mentioned  above,  Article  12 
provides  the  limit  on  trans-border  transfer  of  data).  The  trans-border 
information  flux  is  accompanied  by  risks  of  crime  of  a  similar  nature.  In 
any  country,  the  court  must  have  jurisdiction  over  the  person  or  the 
subject-matter  of  a  lawsuit.  This  works  well  with  the  current  set-up  of 
law-enforcement  agencies  that  are  territorial  and  are  operating  in 
different  villages,  towns,  districts,  cities,  counties,  states  or  provinces,  or 
national  boundaries.  Nevertheless,  unauthorized  access  to  information 
systems  can  be  accomplished  from  virtually  anywhere  on  the  networks 
(See  cases  such  as  United  States  v.  Tenebaum  (Israel),  18  March， 1998, 
involving  an  Israeli  hacking  United  States  military  computers;  United 
States  v.  Gorshkov  (W.D.  Wash)  4  October  2002,  Russian  hacker;  United 
States  v.  McKinnon  I  (E.D.  Va.)  and  II  (D.  N.J.)  12  November  2002, 
British  National  Hacked  into  the  U.  S.  Military  Networks;  United  States 
v.  Zezev  (S.D.  N.Y.)  1  July  2003,  Hackers  from  Kazakhstan;  United  States 
v.  Ivanov  (D.  Conn.)  25  July  2003， Russian  hacker),  because  the 
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communications  capability  of  cyberspace  allows  criminals  to  conspire 
more  easily,  without  geographical  proximity  to  one  another  or  to  the 
target  (Lenk  1997， pp.  126-135).  The  international  characteristic  of 
cybercrime  is  evident  (National  Police  Agency  1998).  In  fact,  some  of  the 
cases  prosecuted  have  been  of  this  nature,  for  instance,  R.  v.  Kozun  (2007 
MBPC  7)， where  the  forensic  analysis  of  the  computer  of  the  accused 
disclosed  that  165  separate  users  from  15  countries  had  traded  through 
his  computer.  The  computer  was  converted  into  an  automated  trading 
centre  through  a  programme,  by  which  141  users  had  traded  in  the 
previous  13  days. 

The  sphere  of  legal  jurisdiction  makes  the  cybercrime  enforcement 
more  complicated  (Lee  and  co-workers  1999， p.  873).  Smith,  Grabosky, 
and  Urbas  (2004)  concluded  that  the  trans-national  dimension  of 
cybercrime  posed  four  formidable  challenges  for  prosecutors,  who  have  to 
determine  whether  the  conduct  in  question  is  criminal  in  their  own 
jurisdiction,  collect  sufficient  evidence  to  mobilize  the  law,  identify  the 
perpetrator,  and  determine  his  or  her  location,  and  decide  whether  to 
leave  the  matter  to  the  local  authorities  or  to  extradite  the  offender  (pp. 
48-49). 

Sinrod  and  Reilly  (2000， p.  2)  have  pointed  out  that  although  some 
international  organizations  are  examining  cooperative  mechanisms  in  the 
field  of  fighting  against  cybercrime,  many  of  their  members  are  slow  in 
recognizing  the  urgency  of  the  situation. 

The  elimination  of  borders  favours  inter-jurisdictional  mobility  of 
crime.  Due  to  the  actual  difficulty  in  establishing  jurisdiction,  even  if  a 
certain  offence  is  detected,  it  is  still  uncertain  whether  the  way  can  easily 
lead  to  punishment.  In  R.  v.  Burns  ([2003]  NICC  13(2)  (12  September 
2003))， where  the  accused  cloned  mobile  phones,  or  exploited  faults  or 
loopholes  in  the  internal  phone  systems  of  companies  or  organizations  to 
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make  cheap  or  free  calls  at  the  expense  of  those  companies  or 
organizations,  the  court  found  that: 

“As  the  investigation  progressed  it  became  more  wide-ranging  and 
involved  another  suspect  and  its  ramifications  were  such  that  it  eventually 
spread  to  other  parts  of  the  United  Kingdom,  to  Tokyo,  to  South  America, 
as  well  as  to  New  Jersey  and  Atlanta  in  the  United  States  of  America. 
Several  large  organizations  in  the  United  Kingdom,  other  police  forces  and 
international  telephone  companies  were  involved.  When  it  became 
apparent  to  the  police  that  they  did  not  have  either  the  specialist 
equipment  or  the  necessary  expertise  to  access  much  of  the  information, 
specialist  firms  had  to  be  engaged.  All  of  this  took  a  great  deal  of  time.” 
Reasonably,  suggestions  have  been  made  to  incorporate  cyberspace  into 
various  jurisdictional  frameworks.  Nonetheless,  this  needs  a  great  deal  of 
time,  agreement,  and  co-operation  between  countries,  which  are  still 
struggling  to  take  common  actions. 

Finally,  it  is  worth  noting  that  trans-national  cases  just  make  up  a 
inconsequential  part  of  cybercrime.  No  convinced  conclusion  can  be  drawn 
because  it  is  probable  that  trans-national  offences  are  not  as  prevalent  as 
scholars  have  assumed.  On  the  other  hand,  it  is  difficult  to  reveal  these 
offences  for  reasons  that  scholars  have  laid  bare.  Or,  it  may  be,  that  it  is 
simply  law  enforcement  does  not  put  sufficient  emphasis  on  these  offences. 
Before  credible  data  are  available  to  give  an  answer  to  this  question,  we 
have  certain  reasons  to  claim  that  trans-national  offences  have  sometimes 
of  a  dual  nature:  they  do  not  appear  as  prevalent  as  domestic  offences,  but 
they  are  more  difficult  to  detect  and  convict.  In  addition,  because  the 
investigation  of  trans-national  offences  is  more  expensive  and  time- 
consuming,  law  enforcement  will  not  give  more  priorities  to  these  offences 
than  to  cases  that  have  happened  “close  to  home”. 

Because  information  systems  alone  are  no  longer  subject  to  the 
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physical  limit  of  traditional  countries,  we  can  expect  that  many  offences 
traditionally  committed  in  neighborhoods,  communities,  and  native  areas 
now  extend  beyond  national  boundaries.  Many  other  offences  traditionally 
committed  in  a  trans-border  manner  are  becoming  a  means  to  acquire 
new  markets  in  the  more  networked  globe.  Some  new  offences  can， indeed， 
only  be  completed  in  a  trans-national  style.  Trans -national  crime  can  be 
seen  as  the  counterpart  of  international  trade  in  civil  society,  being  an 
involuntary  transaction  between  perpetrators  and  the  social  order  (in 
many  cases,  involving  victims,  but  in  many  other  cases,  victimless). 

For  example,  in  McKinnon  v  USA  &  Anor  ([2007]  EWHC  762  (Admin) 
(03  April  2007))， the  accused  used  his  own  computer  in  London  and 
obtained  unauthorized  access  to  dozens  of  governmental  computers  of  the 
U.  S.， from  which  he  discovered  the  identities  of  certain  administrative 
accounts  and  associated  passwords.  He  installed  remote  control  software 
on  these  administrative  computers.  The  software  enabled  him  to  access 
and  change  data  at  any  time. 

Many  people  have  taken  it  for  granted  that  because  computer 
networks  are  trans-national,  naturally  most  crimes  committed  in  relation 
to  the  networks  are  also  trans-national.  This  poses  a  great  concern  among 
academia,  law-enforcement  agency,  and  legislature.  However,  this  is  still 
an  unanswered  question:  firstly,  information  systems  have  crossed  the 
national  boundaries,  but  prosecuted  offences  are  mostly  confined  within 
these  boundaries;  secondly,  due  to  lack  of  an  international  arrangement  of 
law  and  enforcement， few  trans-national  cybercrime  offenders  have  been 
investigated;  and  thirdly,  offences  are  mostly  territory-dependent,  and  do 
not  cross  the  border  at  all. 

All  these  factors  are  responsible  for  the  low  likelihood  of  trans¬ 
national  cybercrime,  but,  as  we  have  seen  and  will  see  further,  the 
absence  of  international  legal  harmonization  and  assistance  mechanisms 
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contributes  primarily  to  the  current  invisibility  of  trans-national 
cybercrime. 


Impact  of  Cyber  Anonymity  on  Criminal  Motivation  and 
Victimization 


Lack  of  punishment  reduced  the  expected  cost  of  the  criminals,  which 
were  composed  thus  of  moral  costs  and  substantial  costs,  specifically,  the 
perpetrators5  necessary  devices  and  labour  in  cybercrime.  Because  there 
was  no  cybercrime  law,  there  was  neither  expected  punishment  nor  the 
expected  cost  induced  by  the  expected  punishment.  Under  such 
circumstances,  the  probability  of  conviction  equalled  zero.  The  expected 
utility  of  the  perpetrator  almost  equalled  the  utility  of  a  situation  in 
which  crime  went  undetected  or  unpunished.  According  to  an  economic 
analysis  of  crime  (Becker  1968， pp.  169-217),  those  who  are  risk- 
indifferent  are  indifferent  to  detection  and  conviction.  For  those  who  are 
risk-lovers,  cybercrime  becomes  a  new  cause,  a  new  chance,  a  new 
challenge,  and  a  new  type  of  risk.  For  those  who  are  risk  avoiders, 
because  of  the  low  risk  of  detection  and  conviction  rate  of  cybercrime,  they 
transfer  from  other  offences  to  cyber  crime.  Therefore,  the  number  of 
cybercrimes  and  perpetrators  will  inevitably  increase. 

The  low  cost  of  cybercrime  and  the  difficulty  in  detection  and  evidence 
collection  create  incentives  for  potential  perpetrators.  The  nature  of  high 
intelligence,  trans-territoriality,  and  high  concealment  of  cyber  transgress 
and  cybercrime  make  it  difficult  to  detect  and  investigate  the  cases  (See 
Conly  1991;  Clark  1996;  Stephenson  2000;  Mandia  and  Prosises  2003; 
Mohay  and  co-workers  2003;  Vacca  2005;  Johnson  2006).  Stating  from 
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another  standpoint,  cybercrime  surpasses  the  current  capacity  of  public 
and  private  regulators  to  control  (Grabosky  2000， p.  2).  As  for  the 
transgressors  or  criminals,  they  usually  only  need  to  click  the  mouse  or 
knock  the  keyboard  at  home  or  in  the  office  in  order  to  commit  the 
illegality  in  a  short  time.  The  risks  and  costs  are  in  cybercrime  lower  than 
those  in  traditional  crime,  while  the  benefits  are  higher.  This  cost- 
effectiveness  further  strengthens  the  mind  of  the  perpetrator  to  commit 
cybercrime. 

Cybercriminals  have  a  greater  advantage  than  most  of  the  traditional 
criminals  in  respect  of  the  low  probability  of  arrest  and  conviction. 
Hatcher  and  co-workers  (1997,  pp.  397,  399.)  have  pointed  out  that  many 
cybercrimes  are  not  reported.  The  term  “dark  figure’’，  used  by 
criminologists  to  refer  to  unreported  or  unrecorded  crime,  has  been 
applied  to  denote  undiscovered  cybercrimes  (UNCJIN  1999， Paragraph 
30).  As  Radzinowicz  and  King  (1977)  pointed  out  that,  “The  recorded 
figures  of  crime  are  huge  but  the  reality  behind  them  everywhere  looms 
far  larger.  The  sinister  word  dunkelziffer  (dark  figure)  was  coined  at  the 
turn  of  the  century  to  express  this  hidden  reality.”  (p.  42).  Many 
intrusions  are  not  detected  for  a  variety  of  reasons  (COM  (2000)  890  final, 
p.  11).  Cybercrimes  can  well  be  described  as  hidden  crimes,  which  is  used 
by  Cook  (1997)  to  denote  under-reported  or  under-recorded  crimes  such  as 
domestic  violence,  sexual  assault,  and  racial  harassment  (p.  55-58),  the 
counterpart  of  which  is  “hidden  victims，”  denoting  the  victims  of  the 
“hidden  crimes”  (p.  127). 

At  the  same  time， victims  of  cybercrime  are  keen  to  be  hidden  victims 
(Cook  1997， p.  127).  The  usual  “motives  for  silence”  pertaining  to 
victimization  may  fall  into  one  of  the  following  categories:  1.  The  idea  that 
the  victimization  is  not  worth  the  mobilization  of  justice;  2.  Involvement; 
3.  Pressures  of  fear;  4.  The  perturbed  accessibility  of  police  and  court;  and 
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5.  The  ignorance  of  events  by  the  police  (Radzinowicz  and  King  1977,  pp. 
38-40). 

In  sketching  the  victim  decision-making,  Greenberg  and  Ruback 
(1985)  have  established  a  three-stage  model:  the  victim  judges  whether 
the  event  is  a  crime,  evaluates  its  seriousness  and  decides  what  to  do 
(Greenberg  and  Ruback  1985， as  cited  by  Feldman  1993， p.  26).  Before 
these  stages,  one  stage  that  is  more  essential  should  be  included,  that  is, 
whether  the  victim  knows  the  event.  If  this  is  the  case,  the  reporting  of 
cybercrime  might  stay  at  a  lower  level,  because  cybercrime  is 
imperceptible  and  thorny  to  notice;  it  is  much  trickier  for  the  victim  to 
judge  whether  the  event  is  a  crime  and  to  estimate  the  losses;  and  the 
victim  has  less  awareness  of  whether  there  is  an  agency  to  report  the 
crime.  The  limited  reporting  of  the  cybercrime  has  been  noted  more  than 
20  years  ago  by  Parker  and  Nycum  (1984， p.  313)， who  studied  the 
invisibility  of  computer  crime.  At  present,  the  Internet’s  virtual 
environment  has  made  the  circumstances  still  poorer.  Auspicious  progress 
in  proving  material  evidences  in  traditional  crimes  was  made  in  late 
1980s  when  DNA  tests  were  first  introduced  (Levinson  2002,  p.  537). 
Nonetheless,  digital  evidence  in  computer  crime  is  untouched  by  such 
high-technological  testing  measures.  The  invisibility  of  cybercrimes  is 
based  on  numerous  factors,  either  technical  or  artificial  (UNCJIN  1999, 
Paragraphs  30， 31).  Sometimes,  the  straightforward  cause  is  that  the 
victims  are  not  enthusiastic  to  report,  or  even  do  not  know  where  to  report 
the  case  (Salgado  2001).  The  acknowledged  reasons  for  the  reluctance  to 
launch  legal  actions  are  principally  fear  of  undesirable  publicity,  public 
humiliation  or  loss  of  goodwill,  loss  of  investor  or  public  confidence, 
resulting  economic  consequences  such  as  the  panic  effect  that  this 
information  would  create  on  their  stock  prices  (See  Carter  1995， p.  21; 
Roush  1995,  pp.  32， 34;  Gelbstein  and  Kamal  2002,  p.  2;  McKenna  2003)， 
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and  exposure  to  future  attacks  (COM  (2000)  890  final,  p.  11).  The  UN 
suggested  that  these  factors  have  a  momentous  impact  on  the  detection  of 
cybercrime  (UNCJIN  1999,  Paragraph  31). 

Yet  there  are  other  reasons  for  the  victim  to  remain  silence.  While 
many  people  are  vigorous  in  maintaining  their  interests  and  rights,  some 
people  view  victimization  as  their  own  malfunction  in  life  and  profession 
and  are  not  enthusiastic  to  expose  the  reality  of  their  failure  to  any 
individuals  and  institutions,  so  as  not  to  make  public  their  own 
disadvantage. 

Therefore,  it  is  unavoidable  that  the  rate  of  unidentified  instances  of 
cybercrimes  has  increased  as  a  consequence.  The  2013  Australian  Cyber 
Crime  and  Security  Survey  Report  summarized  the  reasons  why 
respondents  did  not  report  cyber  security  incidents,  44%  of  them  said 
“there  are  no  benefits  of  reporting”；  44%  chose  “other”， meaning  that  the 
incidents  and  the  consequences  were  minor,  and  that  the  incidents  were 
reported  internally  and  managed  by  corporate  policy;  20%  said  that  “the 
attackers  probably  wouldn’t  get  caught  &/or  prosecuted”；  16%  of  them 
“did  not  know”；  and  12%  worried  about  “negative  publicity  for  the 
organisation”  (CERT  Australia  2014， p.  35).  This  and  other  similar 
surveys  has  indicated  the  percentages  of  respondents  identifying  each 
stated  rationale  as  being  very  imperative  in  their  assessment  not  to 
report  computer  intrusion.  At  the  same  time,  it  is  worth  noting  that  the 
reasons  are  subject  to  changes  in  each  yearly  study. 


Conclusion 


Without  ignoring  all  its  merits,  cyber  anonymity  has  deep  impact  on 
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occurrence  of  cybercrime,  mostly  reducing  the  potential  likelihood  of 
detection  and  thus  its  costs.  In  fact,  anonymity  may  to  some  extent 
encourage  potential  perpetrators  to  take  the  risk.  On  the  other  hand, 
victims  may  lose  opportunities  to  make  judgment  on  whether  or  not  it  is 
of  their  interest  to  interact  with  hidden  perpetrators.  Once  crime  occurs, 
anonymity  further  hinders  law  enforcement  from  detecting  and 
investigating. 

In  recent  year,  wrestling  between  claims  for  and  against  cyber 
anonymity  has  been  continuing.  However,  there  has  some  new 
advancement  in  judicial  sector.  The  European  Union  Court  of  Justice 
issued  a  decision  on  May  13  2014， in  case  C-131/12  (Google  Spain  SL， 
Google  Inc.  v.  Agenda  Espanola  de  Proteccion  de  Datos， Mario  Costeja 
Gonzalez),  ruling  that  the  “right  to  be  forgotten”  is  embedded  in  the 
provisions  of  Directive  95/46/EEC  (Iglezakis  2014， p.  4).  The  right  to  be 
forgotten  is  a  special  field  of  cyber  anonymity.  If  cyber  anonymity  is  not 
imposed  any  limit， vulnerable  users  and  incompetent  law  enforcement 
cannot  cope  with  problems  accompanying  it.  Therefore,  the  right  to  be 
forgotten  applies  only  where  the  information  is  “inaccurate,  inadequate, 
irrelevant  or  excessive  for  the  purposes  of  the  data  processing”  (para  93  of 
the  ruling),  the  Court  unambiguously  spelt  out  that  the  right  to  be 
forgotten  is  not  unconditional  but  will  always  have  to  be  “balanced 
against  other  fundamental  rights”， for  instance  the  freedom  of  expression 
and  of  the  media  (para  85  of  the  ruling).  Absolute  freedom  of  anonymity 
should  not  be  allowed  as  the  case  in  the  real  society.  There  is  a  necessity 
to  balance  the  needs  to  protect  privacy  and  prevent  cybercrime  (Shinder, 
2011). 
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CHAPTER  IV  HALLMARKS  OF  PROSECUTED 
CYBERCRIME 


Introduction 


The  social  change  of  recent  decades  has  been  primarily  symbolized  by  the 
development  of  information  and  communications  technology.  One  of  the 
most  significant  negative  impacts  in  this  context  is  the  emergence  and 
rampancy  of  cybercrime.  The  research  on  criminal  phenomenon  related  to 
information  and  communications  technology  has  become  a  focus  of 
criminology,  criminal  law  and  information  security. 

Cybercrime  is  a  comprehensive  topic  and  attracts  scholars  from 
different  disciplines  to  deal  with.  Many  have  been  written  about  the 
theoretical  explanation  of  cybercrime.  Many  findings  about  cybercrime  in 
different  studies  revealed  different  dimension  of  multi- dimensional 
phenomenon.  While  the  limited  previous  first-hand  exploration  have  been 
widely  accepted  and  cited， controversies  and  misleading  exist  among 
various  studies.  The  unfortunate  situation  is  that,  in  the  field  of  profile  of 
cybercriminal  and  cybervictim,  most  subsequent  theoretical  treatises  tend 
to  provide  proofs  for  the  earliest  findings,  or  at  most  provide  some  tiny 
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revisions. 


It  is  critical  to  answer  the  questions  of  “who  are  most  possible  to 
commit  cybercrime?  And， who  are  most  possible  to  be  victimized  in 
cybercrime?,?  or  “how  the  cybercrime  perpetrators  and  cybervictims  look 
like?”  The  subjects  of  cybercrimes  lead  the  tide  of  the  theory  and  practice 
of  legislation  and  law  enforcement  in  the  sense  that  the  perpetrators  are 
those  who  challenge  the  traditional  legal  system.  The  studies  and 
research  on  subject  of  computer  crime  has  had  a  history  of  several  decades, 
and  established  well-known  profile  for  the  cybercriminals  and 
cybervictims. 

With  the  deepening  of  the  research  on  cybercrime,  the  hallmarks  of 
cybercriminals  and  the  guardianship  of  cybervictims  are  paid  increasing 
attention  by  lawyers  and  law  enforcement.  The  purpose  of  this  study  is  to 
present  an  updated  profile  of  cybercriminality  and  cybervictimization, 
through  the  analysis  of  115  typical  cybercrime  cases  prosecuted  in  the 
United  States  of  America  during  18  March  1998  to  12  May  2006  and 
published  on  the  Department  of  Justice  web  site. 


Literature  review 


When  we  talk  about  subjects  of  cybercrime,  we  are  concerning  the  profile 
of  cyber  criminal.  However,  cybercriminal  is  not  one  single  person,  but 
represents  a  school  of  perpetrators.  Many  have  been  written  in  the 
previous  literature  about  “who”  would  be  the  one  who  are  most  likely  to 
commit  cybercrime  and  “who”  would  be  likely  to  be  victimised  in 
cybercrime.  Any  conclusions  drawn  from  some  hundreds  or  thousands  of 
cases  might  be  premature  or  even  misleading.  More  than  20  years  ago, 
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Bequai  (1983， p.  xviii)  pointed  out  that,  the  problem  of  computer  criminal 
profile  could  be  much  complex  and  no  one  single  picture  could  be  given  to 
sketch  the  panorama  of  this  aggregation.  Bequai  (1983,  pp.  42-45)  gave  a 
tentative  table  of  profile  of  typical  computer  perpetrator,  assembled  from 
hundreds  of  cases  involved  in  the  United  States  Bureau  of  Justice 
statistics.  He  had  the  same  worry  about  the  misleading  effect  as  many 
other  scholars  did. 

Bequai  (1978,  p.  4)  presented  that: 

“Studies  of  computer  criminals  usually  portray  them  as  young, 
educated,  technically  competent,  and  usually  aggressive.  Some  steal  for 
personal  gain,  others  for  the  challenge,  and  still  others  because  they  are 
pawns  in  a  larger  scheme... Still  other  studies  typically  portray  computer 
criminals  as  technicians,  managers,  and  programmers.  They  are  usually 
perceived  as  jovially  challenging  the  machine,  and  discovery  occurs  only 
through  inadvertence.  The  theft  usually  involves  money,  services,  or  trade 
secrets.  However,  when  caught,  the  computer  criminal’s  sentence  is  light 
compared  to  that  of  traditional  property-crime  felons,  who  usually  receive 
harsh  sentences  for  crimes  involving  much  less  property  or  money.” 

It  has  been  widely  recognised  that  there  is  no  single  profile  that  can 
capture  the  characteristics  of  a  “typical”  computer  criminal,  and  many  who 
fit  the  profile  are  not  necessarily  criminals  at  all  (Ware,  Pfleeger  and 
Pfleeger  2002,  p.  20).  Donn  B.  Parker  (1976)  has  presented  a  brilliant 
portrait  of  a  computer  crime  perpetrator: 

“Perpetrators  are  usually  bright,  eager,  highly  motivated,  courageous, 
adventuresome,  and  qualified  people  willing  to  accept  a  technical 
challenge.  They  have  exactly  the  characteristics  that  make  them  highly 
desirable  employees  in  data  processing.” 
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The  development  of  the  computer  technology  has  changed  the 
depiction  completely  (Becker  1981).  Becker  (1981)  suggested  seven  views 
of  computer  system:  the  playpen， the  land  of  opportunity,  the  cookie  jar, 
the  war  zone,  the  soapbox,  the  fairyland,  and  the  toolbox  (pp.  18-20). 
Bequai  (1983， pp.  47-50)  researched  the  potential  sources  of  computer 
attack  might  vary  from  each  other,  but  could  be  grouped  into  three 
categories:  dishonest  insiders,  outsiders,  and  users.  It  implied  that 
everyone  has  an  equal  chance  to  be  involved  in  computer  crime,  in  the  age 
when  the  Internet  did  not  expand  as  wide  as  present.  Wasik  (1991， pp.  60- 
65)  concentrated  on  the  characteristics  and  classifications  of  perpetrators 
as  well.  Levinson  (2002)  sorted  courses  of  cyber  threats  into  five  groups, 
including  insiders,  hackers,  virus  writers,  criminals  groups,  and  terrorists 
(Levinson  2002,  p.  525).  Reynolds  (2003,  pp.  58-65)  classified  perpetrators 
into  hacker,  cracker,  insider,  industrial  spy,  cybercriminal  and 
cyberterrorist.  That  is  to  say， the  spacious  application  of  computers 
created  a  multi-dimensional  social  environment,  and  the  potential 
computer  criminals  inevitably  discovered  the  opportunities. 

The  Internet  users  worldwide  are  strongly  sex  divided,  that  is,  a 
higher  percentage  of  males  than  females  use  Internet.  For  example， in 
2001， only  6  per  cent  of  Internet  users  in  the  Arab  States  are  women;  38 
per  cent  in  Latin  America;  25  per  cent  in  the  EU;  37  per  cent  in  China,  19 
per  cent  in  Russia,  18  per  cent  in  Japan,  17  per  cent  in  South  Africa,  and 
nearly  50  per  cent  in  the  United  States  are  women.1  However,  the  distance 
is  increasingly  smaller;  with  females  constitute  the  lager  group  of  Internet 
users  in  some  countries.  In  Nordic  countries,  it  was  found  that  also  male 
have  a  higher  percentage  of  daily  users  of  the  Internet  (Nordic  Council  of 
Ministers  2005,  p.  42,  Table  2.5). 


1  Women’s  Learning  Partnership,  December  2001,  http://leamingpartnership.org/facts/tech.phtml 
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The  previous  studies  proved  that  cybercrime  is  far  more  sex  divided 
than  the  Internet  use.  According  to  Levinson  (2002)， “It  is  well  established 
that  boys  commit  far  more  juvenile  crime,  particularly  violent  crime,  than 
girls.”  (p.  490)  The  cybercrime  seems  less  violent,  but  the  research 
indicated  that  more  males  commit  cybercrimes  than  female.  According  to 
Jiang  (2000),  males  constitute  91.45  percent  of  the  perpetrators  in  a 
statistics,  while  females  constitute  only  8.55  percent.  He  supposed  the 
differences  of  computer  knowledge  and  skills  and  the  attitudes  in  online 
interactions  between  males  and  females  resulted  in  this  situation  (pp.  151- 
152).  However,  the  reasons  why  the  females  have  found  less  guilty  of 
cybercrime  than  males  are  not  clear  at  all.  It  needs  specific  search  to 
answer  the  questions  such  as:  “Do  females  commit  less  cybercrimes?”  “Are 
female  cybercriminals  less  detected?”  or  more  philosophically,  “Can  we 
measure  criminal  phenomenon  among  males  and  females  under  the  same 
concept?”  But  this  study  is  not  intended  to  answer  these  questions. 

A  noteworthy  phenomenon  is  that,  in  regardless  of  individual 
cybercrimes,  corporate  cybercrime,  or  organized  cybercrime,  the  young 
perpetrators  play  a  critical  part.  Although  there  is  no  age  limit  to  commit 
cybercrime,  we  found  that  similar  to  traditional  crimes,  the  youth 
constitute  an  important  part  of  the  cyber  criminals.  As  Shannon  (1993， p. 
2)  reported  that,  cybercriminals  tend  to  usually  be  between  the  ages  of  14- 
30,  they  are  usually  bright,  eager,  highly  motivated,  adventuresome,  and 
willing  to  accept  technical  challenges.  The  age  of  criminal  responsibility  is 
prescribed  different  between  countries.  In  most  countries,  children  less 
than  14  or  15  years  of  age  are  not  liable  for  the  criminal  offence,  while 
children  between  15-17  or  14-16  years  of  age  are  liable  for  limited  range  of 
offences.2  In  fact,  juveniles  commit  a  number  of  these  crimes.  In  China, 

2  For  example,  in  China  Penal  law,  children  under  14  years  old  of  age  are  not  liable;  in  Finland 
Penal  law,  the  age  limit  is  15.  In  some  other  countries,  the  liability  age  is  even  lower.  In  England 
and  Wales,  the  age  is  1 0-year-old,  while  the  limited  liability  ages  are  between  10-14  years  of  age. 
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the  Internet  users  between  the  ages  of  19-40  make  up  80  percent  of  all 
users,  and  the  average  age  of  the  cybercrime  perpetrators  is  23  years  old 
(Dong  2003).  Juvenile  delinquency  and  juvenile  justice  became  issues 
closely  associated  with  cyber  crime.  According  to  findings  of  criminal 
psychological  research,  the  reason  why  the  children  are  more  likely  to 
commit  crime  is  not  because  more  and  more  children  will  commit  crime, 
but  because  most  of  the  potential  offenders  will  commence  to  commit 
crime  in  childhood  and  continue  their  criminality  for  much  of  their 
lifetime.  After  16-17  years  of  age,  the  offending  rates  decreases  to  a 
plateau  (Howitt  2002,  pp.  76-77). 

Underwood  (2002)  found  that  the  cybercriminal  behaviour  cuts  across 
a  broad  range  of  society， with  the  age  of  most  offenders  ranging  from  10  to 
60  years.  People  between  the  ages  of  20  and  59  make  up  94  percent  of 
computer  criminals,  with  the  most  active  being  people  in  their  thirties. 

Bequai  (1983， p.  43， Table  l)’s  profile  of  typical  computer  felon 
presented  a  full  portrait  of  the  above  mentioned  aspects， with  more  other 
aspects.  He  stated  that  the  age  of  computer  criminals  is  between  15-45 
years  old.  Males  are  responsible  for  most  computer  crimes,  but  females 
are  increasing.  The  occupational  experience  of  computer  criminals  differs 
from  the  highly  experienced  technician  to  a  minimally  experienced 
professional.  Both  public  and  private  sectors  could  be  the  victims  of  the 
computer  crimes.  The  computer  criminals  have  the  personal  traits  of 
being  bright,  motivated,  and  ready  to  accept  the  technical  challenge; 
usually  a  desirable  employee,  a  hard  and  committed  worker.  Computer 
crimes  are  mostly  by  individual  perpetrators,  but  conspiracies  are 
increasing.  Most  offences  are  committed  by  insiders  who  have  easy  access 
to  the  computer  system.  The  security  of  the  victims’  system  is  usually 
slack. 

It  has  been  an  important  topic  to  distinguish  the  sources  that  the 
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offenders  come  from  and  the  relationship  between  the  offenders  and  the 
victims,  by  which  computer  crimes  can  be  divided  into  offences  by  insiders 
and  offences  by  outsiders.  Shaw,  Ruby  and  Post  (1998)  classified  insiders 
into  information  technology  specialists  such  as  full-time  or  part-time 
employees,  contractors,  consultants,  or  temporary  workers;  partners  and 
customers  with  system  access;  and  former  employees  retaining  system 
access.  About  whether  the  insiders  or  the  outsiders  constitute  the  greatest 
threat  to  the  computer  system,  there  have  been  different  findings.3 

However,  the  mainstream  findings  support  the  view  that  the  insiders 
have  been  more  likely  to  be  involved  in  computer  crimes  against  the 
employers’  systems.  The  Nordic  Council  of  Ministers  (2005)  found  that 
students,  employees  and  self-employed  people  constitute  the  higher 
percentage  of  the  Internet  penetration  (Nordic  Council  of  Ministers  2005, 
p.  42,  Table  2.5).  Mackenizie  and  Goldman  (2000)  reported  that  some 
students,  particularly  computer  science  and  engineering  majors,  with 
newly  discovered  skills  attempt  to  break  into  the  servers  of  University  of 
Delaware  (p.  174).  Meta  Group  (2004)  found  that,  of  more  than  1,600 
information  and  communications  technology  professionals,  current 
employees  represent  the  biggest  threat  to  technology  infrastructure s . 
Computer  Security  Institute  and  Federal  Bureau  of  Investigation 
reported  that  55  percent  of  survey  respondents  reported  malicious  activity 
by  insiders  (Nelson  2004).  Researchers  also  revealed  that  the  dissatisfied 
employees  are  a  major  source  of  computer  crimes  (Vatis  1999)  and  are  the 
greatest  threat  to  a  computer’s  security  (Sinrod  and  Reilly  2000,  pp.  183- 
187).  When  Sutherland  suggested  the  term  “white-collar  crime”  in  the  late 
1930s， he  might  hardly  imagine  that  there  would  be  crimes  in  the  process 


For  example,  The  AFCOM's  Data  Centre  Institute  found  that  the  cyber  attacks  launched  by 
outsiders  (52  percent)  were  ten  times  that  of  the  insiders  (5  percent).  However,  the  respondents 
were  more  concerned  the  insider  threats  than  the  outsider  ones.  See  Edward  Hurley,  Are  Insiders 
Really  a  Bigger  Threat?  17  July  2003.  Retrieved  26  June  2006,  from 
http://searchsecurity.techtarget.eom/originalContent/0, 289 142, sidl4_gci906437,00.html 
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of  human-machine  interaction,  other  than  the  human-human  interaction, 
human-organisation  interaction,  or  human  action  against  machine. 
Nevertheless,  the  term  “white-collar  cybercrime”  also  came  into  being  at 
present  as  a  contribution  to  develop  Sutherland’s  theory.4 

Besides  the  revealed  relationship  between  the  criminals  and  victims, 
others  also  explored  the  characteristics  of  victims.  Syngress  (2002) 
summarized  the  common  victim  characteristics  include  those  who  are  new 
to  the  Internet;  who  are  naturally  naive;  who  are  disable  or 
disadvantaged;  who  are  greedy,  lonely,  or  have  other  emotional  needs; 
pseudo-victims  who  report  having  been  victimized  but  actually  were  not; 
and  who  are  simply  unlucky  enough  to  be  in  the  wrong  (virtual)  place  at 
the  wrong  time. 

From  the  previous  literatures,  the  profile  of  cybercriminal  and 
cybervictim  could  hardly  be  regarded  as  settled.  In  addition,  the  available 
literatures  did  not  provide  detailed  sources  of  materials  and  clarify  their 
methods.  Many  literatures  have  apparently  been  based  on  second-hand 
materials  and/or  mass  media  reports.  There  is  still  a  need  of  findings 
about  the  hallmarks  of  cybercriminals  and  cybervictims  drawn  from  the 
prosecuted  cases. 


Methods 


The  study  used  a  sample  of  115  reported  typical  cases  sentenced  or  on 
trial  (during  18  March  1998  to  12  May  2006)， published  on  the  web  site  of 

4  See  for  example,  “Victim  Assistance  Online”  Web  site.  Retrieved  8  July  2006,  from 
http://www.vaonline.org/internet_wcollar.html.  The  term  44 White-Collar  Hacker”  is  also  used,  for 
example,  by  Leyden,  J.  The  Rise  of  White  Collar  Hacker,  2004.  Retrieved  8  July  2006,  from 
http://www.theregister.co.uk/2004/03/31/the_rise_of_the_white/ 
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the  United  States  Department  of  Justice.  The  study  took  all  the  cases 
listed  in  the  web  page  located  at 

<http://www.cybercrime.gov/cccases.html>.  About  the  nature  of  these 
cases,  the  web  page  gives  a  note  as: 

“Below  is  a  summary  chart  of  recently  prosecuted  computer  cases. 
Many  cases  have  been  prosecuted  under  the  computer  crime  statute,  18 
U.S.C.  §1030.  This  listing  is  a  representative  sample;  it  is  not  exhaustive.” 

The  study  classified  the  sample  cases  into  hacking  and  illegal  access; 
attack,  sabotage  and  botnet;  viruses,  worms,  spyware  and  logic  bomb; 
data  theft  and  espionage;  ID  theft,  fraud;  and  miscellaneous  including 
embezzlement  and  corruption.  The  strict  legal  categorization  is  not  used 
in  this  study.  Rather,  the  classification  is  based  on  criminological 
characteristics  of  the  behaviours. 


The  statistical  items  include  those  related  to  the  demographic 
characteristics  of  the  cybercriminal  (including  gender,  age,  insider  or 
outsider,  American  citizen  or  foreigner),  the  nature  of  the  victims 
(including  private,  public,  private  and  public,  and  public  health  and 
safety),  the  losses  of  the  cases,  and  the  decided  punishments  on  the 
cybercirme  (imprisonment  and  fine),  the  guardianship  level  of  the  victim 
(classified  into  strong,  medium,  and  weak),  and  the  complexities  of 
techniques  involved  (classified  into  complicated,  medium,  and  simple). 


Results 


1.  Gender  distribution  of  cybercrime 
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In  most  categories  of  offences,  male  offenders  constitute  the  absolute 
majority  of  the  criminals.  Only  two  female  offenders  are  reported  in 
hacking  and  illegal  access,  one  reported  in  miscellaneous  offences 
(including  embezzlement,  corruption,  and  so  on).  The  overall  male 
offenders  constitute  more  than  98  percent  of  the  total  perpetrators,  while 
the  female  are  only  less  than  two  percent. 


2.  Age  distribution  of  cybercrime 

The  report  from  the  website  is  incomplete  in  providing  offenders’  age 
information.  The  non-available  age  information  exists  in  every  category  of 
offence.  About  73  .1  percent  of  offenders  of  ID  theft,  30.4  percent  of  attack, 
sabotage  and  botnet,  18.2  percent  of  viruses,  worms,  spyware  and  logic 
bomb,  15.9  percent  of  hacking  and  illegal  access， 14.3  percent  of  both  data 
theft  and  espionage,  and  miscellaneous  (including  embezzlement  and 
corruption)  are  absent. 

Three  perpetrators  with  the  age  of  younger  than  16  years  old  are 
convicted  with  offences  in  the  categories  of  hacking  and  illegal  access,  and 
viruses,  worms,  spyware  and  logic  bomb. 

The  offenders  of  the  age  older  than  46  years  old  distribute  in  most 
categories  of  offences， except  fraud  and  miscellaneous  (embezzlement  and 
corruption).  However,  generally  they  are  not  active  in  computer  crime  and 
constitute  a  small  percentage  of  the  total  reported  offenders  (including  the 
offenders  whose  ages  are  non-available):  about  28.6  percent  of  offenders  in 
data  theft  and  espionage,  mote  than  9  percent  of  viruses,  worms,  spyware 
and  logic  bomb,  four  percent  of  attack  and  sabotage,  and  3.8  percent  of  ID 
theft. 

The  cyber  criminals  distribute  obviously  among  the  ages  between  17 
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to  45  years  old.  Offenders  among  those  approximately  79.3  percent  of 
hacking  and  illegal  access,  approximately  65.2  percent  of  attack  and 
sabotage,  approximately  63.7  percent  of  viruses,  worms,  spyware  and 
logic  bomb,  approximately  85.8  percent  of  data  theft  and  espionage, 
approximately  26.8  percent  of  ID  theft,  exactly  100  percent  of  fraud,  and 
approximately  85.7  percent  of  miscellaneous  (embezzlement  and 
corruption),  are  between  the  age  of  17  to  45  years  old. 

More  detailed  distribution  of  offenders  with  the  age  between  17  to  45 
years  old  can  be  described  as  the  follows:  the  number  of  the  offenders  of 
the  age  between  17  to  25  is  41， the  number  between  26  to  35  is  39,  and  the 
number  between  36  to  45  is  21， constitutes  27  percent,  26  percent  and  17 
percent  of  all  of  the  reported  offenders  (including  the  offenders  whose  ages 
are  non-available)  separately.  In  the  age  group  of  17  to  45  years  old,  17  to 
25-year-olds  constitute  40.6  percent,  26  to  35-year-olds  38.6  percent,  and 
36  to  45-year-olds  20.8  percent  separately.  The  ratios  of  offenders  seem  to 
be  decreasing  with  age. 


3.  Domestic  versus  foreign  perpetrators 


Altogether  14  out  of  115  cases  were  committed  by  international 
perpetrators  or  foreigners,  a  ratio  of  weaker  than  12.2  percent.  Domestic 
perpetrators  are  responsible  for  the  rest  87.8  percent  of  the  cyber 
criminals.  Majority  of  the  reported  cases  are  domestic  computer  offences. 

4.  Insider  versus  outsider 


Insiders  and  outsiders  constitute  different  ratios  in  different  categories  of 
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offences.  The  categories  in  which  the  insiders  constitute  the  majority  of 
offenders  include:  all  offenders  of  data  theft  and  espionage  were  insiders, 
while  57.1  percent  of  fraudsters  are  insiders. 

The  categories  in  which  outsiders  constitute  the  majority  of  offenders 
include:  exactly  100  percent  of  ID  theft， approximately  92.9  percent  of 
miscellaneous  (including  embezzlement  and  corruption),  approximately  87 
percent  of  attack  and  sabotage,  approximately  81.8  percent  of  viruses, 
worms,  spyware  and  logic  bomb,  and  approximately  76.2  percent  of 
hacking  and  sabotage.  In  fact， outsiders  also  constitute  a  strong  ratio  in 
fraudsters:  approximately  42.9  percent. 

The  former  employees  are  included  in  the  category  of  outsiders.  A 
significant  ratio  of  offenders  of  attack  and  sabotage  are  former  employees, 
who  constitute  approximately  43.5  percent.  Former  employees  also 
constitute  12.7  percent  of  offenders  of  hacking  and  illegal  access,  and 
approximately  7.2  percent  of  offenders  of  embezzlement  and  corruption. 

Overall,  insiders  and  outsiders  constitute  21  percent  and  79  percent 
of  all  reported  offenders  separately.  The  former  employees  constitute  16 
percent  of  all  of  the  outsiders.  If  add  up  former  employees  into  insiders, 
they  would  constitute  about  34  percent  of  the  total  offenders,  still  a  less 
ratio  than  outsiders. 


5.  Losses  of  cybercrime 


In  more  than  59  percent  of  cybercrime  cases,  no  loss  was  mentioned  in  the 
report.  Among  the  rest  less  than  41  percent  of  cases,  approximately  seven 
percent  are  with  losses  less  than  10  thousand  dollars,  approximately  15.7 
percent  with  losses  between  10  thousand  and  100  thousand  dollars, 
approximately  10.4  percent  with  losses  between  100  thousand  and  one 
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million  dollars,  and  approximately  9.6  percent  with  losses  more  than  one 
million  dollars. 

Hacking  and  illegal  access,  viruses,  worms,  spyware  and  logic  bomb, 
ID  theft,  and  miscellaneous  (including  embezzlement  and  corruption)  are 
among  the  top  list  with  most  average  losses,  each  of  which  are  beyond  one 
million  dollars.  The  average  losses  of  attack  and  sabotage,  data  theft  and 
espionage,  and  fraud  are  relatively  lower,  160  thousand,  5  thousand  and 
384  thousand  dollars  separately. 

Overall,  the  average  loss  of  the  reported  49  cases  with  is  more  than 
2.989  million  dollars.  Adding  cases  without  losses  reported,  the  average 
loss  still  reaches  1.274  million  dollars. 


6.  Victims  of  cybercrime 

Private  sector  is  the  primary  victim  of  cybercrime.  All  of  the  cases  of  data 
theft  and  espionage,  ID  theft,  and  fraud  are  against  private  interest. 
Approximately  87.5  percent  of  miscellaneous  (including  embezzlement 
and  corruption),  approximately  81.8  percent  of  viruses,  worms,  spyware 
and  logic  bomb,  approximately  77.3  percent  of  attack  and  sabotage, 
approximately  69.5  percent  of  hacking  and  illegal  access  are  committed 
against  private  sector. 

Only  approximately  18.2  percent  of  attack  and  sabotage, 
approximately  13.6  percent  of  hacking  and  illegal  access,  and 
approximately  12.5  percent  of  miscellaneous  (including  embezzlement  and 
corruption)  are  against  public  sector. 

Besides,  approximately  15.3  percent  of  hacking  and  illegal  access,  and 
approximately  9.1  percent  of  viruses,  worms,  spyware  and  logic  bomb 
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cases  are  against  both  private  and  public  sectors. 

In  addition,  approximately  9.1  percent  of  viruses,  worms,  spyware 
and  logic  bomb,  approximately  4.5  percent  of  attack  and  sabotage,  and 
approximately  1.7  percent  of  hacking  and  illegal  access  cases  are  against 
public  health  and  safety,  as  it  was  named. 

7.  Guardianship  level  of  the  victim 

In  majority  of  cases,  the  guardianship  is  weak.  Exactly  100  percent  of 
cases  of  data  theft  and  espionage,  and  ID  theft  are  possibly  due  to  the 
absent  of  related  guardianship.  In  other  cases,  approximately  90.9  percent 
of  viruses,  worms,  spyware  and  logic  bomb,  approximately  87.5  percent  of 
miscellaneous  (including  embezzlement  and  corruption),  approximately 
82.6  percent  of  attack  and  sabotage,  approximately  80  percent  of  fraud, 
and  approximately  74.6  percent  of  hacking  and  illegal  access  are  due  to 
weak  guardianship. 

Approximately  20  percent  of  fraud  cases,  approximately  16.9  percent 
of  hacking  and  illegal  access,  and  approximately  9.1  percent  of  viruses, 
worms， spyware  and  logic  bomb  could  be  classified  into  the  category  of 
medium  guardianship. 

Only  approximately  17.4  percent  of  attack  and  sabotage, 
approximately  12.5  percent  of  miscellaneous  (including  embezzlement  and 
corruption),  and  approximately  8.5  percent  of  hacking  and  illegal  access 
could  be  stated  as  with  strong  guardianship,  even  though  the  offences  are 
succeeded. 


8.  Complexity  of  cybercrime 
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All  the  cases  of  data  theft  and  espionage  seem  uncomplicated  to 
perpetrate.  Approximately  87.5  percent  of  miscellaneous  (including 
embezzlement  and  corruption),  approximately  80  percent  of  fraud, 
approximately  73.9  percent  of  attack  and  sabotage,  66.7  percent  of  ID 
theft,  and  approximately  66.1  percent  of  hacking  and  illegal  access 
involved  no  complicated  techniques,  or  techniques  that  could  be  available 
most  common  computer  or  network  users  at  the  time  of  committing  such 
offences. 

Approximately  27.3  percent  of  viruses,  worms,  spyware  and  logic 
bomb,  approximately  20  percent  of  fraud,  approximately  12.3  percent  of 
hacking  and  illegal  access,  and  approximately  8.7  percent  of  attack  and 
sabotage  cases  are  committed  with  a  medium  level  of  techniques. 

Cases  of  viruses,  worms,  spyware  and  logic  bomb  might  involve  the 
most  complicated  techniques,  with  72.7  percent  of  which  classified  into 
the  most  complicated  category.  Approximately  33.3  percent  of  ID  theft, 
approximately  18.3  percent  of  hacking  and  illegal  access,  approximately 
17.4  percent  of  attack  and  sabotage,  and  approximately  12.5  percent  of 
miscellaneous  (embezzlement  and  corruption)  might  involve  complicated 
techniques,  or  techniques  unavailable  to  common  users  at  the  time  of 
committing  such  offences. 


9.  Imprisonment  sentences 


The  punishments  for  many  cases  are  labeled  with  “to  be  decided.”  The 
study  calculated  the  punishment  of  the  sentenced  cases.  The  average 
imprisonment  for  the  data  theft  and  espionage  case  is  50  months,  the 
longest  among  all  the  categories  of  cybercrimes.  Attack  and  sabotage,  and 
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miscellaneous  (embezzlement  and  corruption)  are  imposed  the  same 
average  imprisonment  of  40.3  months.  Fraudsters  obtained  an  average 
imprisonment  of  32.5  months.  Attack  and  sabotage  cases  are  sentenced 
with  an  average  imprisonment  term  of  28.1  months.  The  shortest  average 
imprisonment  term,  21.9  months,  is  imposed  on  hacking  and  illegal  access 
perpetrators,  that  is,  the  hackers. 

Total  imprisonment  term  imposed  on  reported  53  offenders  is  1429 
months,  with  an  average  of  shorter  than  27  months.  Among  these  cases, 
the  longest  imprisonment  is  96  months,  while  the  shortest  is  only  one 
month. 


10.  Fine  sentences 


Fine  is  usually  imposed  on  perpetrators  of  hacking  and  illegal  access,  and 
attack  and  sabotage.  Overall,  exactly  ten  cases  ended  with  fine  of  lower 
than  10  thousand  dollars,  nineteen  cases  with  fine  between  10  to  100 
thousand,  twelve  cases  with  fine  between  100  thousand  and  one  million, 
and  two  cases  with  fine  over  one  million  dollars  (one  case  fined  2  million 
and  the  other  case  fined  7.8  million  dollars). 

The  fine  imposed  on  offenders  43  offenders  totaled  13.45  million 
dollars,  with  an  average  of  312.78  thousand  dollars.  However  this  sum  is 
greatly  due  to  the  high  fines  in  two  cases  where  the  offenders  were  fined 
with  2  and  7.8  millions  dollars， which  contribute  to  an  average  of  228 
thousand  dollar  for  each  case  calculated.  Except  these  two  cases,  the 
average  fine  of  the  41  cases  is  approximately  89  thousand  dollars. 
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Discussion  and  conclusion 


The  subjects  of  cybercrimes  can  be  either  insiders  or  outsiders.  Many 
studies  found  that  the  insiders  constitute  a  great  threat  to  the  employers’ 
systems.  However,  younger  juveniles  might  be  less  employed  than  older 
juveniles.  That  is  to  say,  the  younger  juveniles  may  represent  the 
increasing  outsiders  engaged  in  cybercrimes.  On  the  other  hand,  the 
nature  of  cybercrime  decides  that  the  perpetrators  do  not  have  age  limit. 
Any  one  who  can  use  the  computers  and  Internet  can  commit  cybercrime. 

In  my  opinion,  the  concept  of  white-collar  crime  could  not  fit  the 
situation  of  cybercrime.  Although  the  white-collar  crime  emphasizes  the 
employment  and  social  status  of  the  criminals,  I  consider  that  one  of  the 
most  relevant  factors  in  white-collar  crime  is  the  knowledge  that  the 
criminals  have  acquired  from  both  their  pre-employment  education  and 
their  occupational  career.  It  is  not  oversimplified  to  view  white-collar 
crime  as  a  knowledge-based  offence， compared  with  violence-based 
traditional  offences.  Different  from  either  of  these  two  kinds  of 
conceptions,  cybercrime  could  be  either  knowledge-based  white-collar 
crime  or  knowledge-based  cyber  violence.  Overall,  there  is  a  reluctant 
distinction  between  cybercrime,  white-collar  crime  and  even  violent  crime. 

However,  it  is  reasonable  to  conclude  that,  when  there  were  few 
computers,  the  employees  in  the  computer-related  industries  were  among 
the  small  number  of  computer  users.  They  acquire  more  chances  to 
conspire  an  offence  against  their  employers.  With  the  prevalence  of 
personal  computers  and  the  development  of  the  Internet,  the  insiders 
remain  to  keep  their  advantages  in  having  a  better  knowledge  about  the 
access  control  mechanisms,  assets  management  systems,  and  the  overall 
loopholes.  The  insider  knowledge,  convenience,  and  directness  encourage 
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the  employees  to  commit  cybercrimes.  As  the  United  States  Secret  Service 
and  CERT  Coordinator  Center’s  study  disclosed  that  minimal  technical 
skill  was  required  in  launch  cyberattacks  on  banking  and  finance  sector 
(Randazzo  and  co-workers  2004). 5 

In  addition， insiders  are  exposed  them  to  the  negative  psychological 
influence  derived  from  their  information  work  environment.  Shaw,  Ruby 
and  Post  (1998)  identified  the  characteristics  that  increase  the  tendency 
towards  illegitimate  and  harmful  conducts  of  the  employees,  including 
computer  dependency,  a  history  of  personal  and  social  frustrations 
(especially  anger  toward  authority),  ethical  flexibility,  a  mixed  sense  of 
loyalty,  entitlement,  and  lack  of  empathy. 

On  the  other  hand,  the  offences  by  the  insiders  involve  less 
complicated  process  of  being  traced,  detected  and  investigation  than  that 
by  the  outsiders.  If  we  could  not  judge  whether  insiders  or  outsiders  are 
liable  for  more  cybercrimes,  we  should  firstly  consider  the  question  on 
who  are  more  possible  to  do  it  and  who  are  more  possible  to  be  caught. 
The  insiders  surely  coincide  both  of  the  situation.  Furthermore,  it  is  more 
efficient  for  the  law  enforcement  to  reveal  an  inside  misuse  than  an 
outside  attack,  they  are  rationally  more  likely  to  pay  more  attention  to 
the  current  and  previous  employees.  The  outside  incidents  or 
international  disturbances  would  possibly  be  disregarded  at  the  first  sight 
of  the  investigation， except  it  deserves  an  international  show-off. 

Summarily,  the  study  found  that  males  are  responsible  for  a  majority 
of  cyber  crime.  The  cybercriminals  distribute  primarily  among  the  ages 
between  17  to  45  years  old.  Domestic  perpetrators  constitute  the  absolute 
majority  of  the  cybercriminals.  Outsiders  are  four  times  more  likely  to  be 
involved  in  cybercrimes  than  insiders.  A  large  part  of  the  cybercrimes  did 

5  In  different  studies,  the  term  insider  is  defined  differently.  In  Randazzo  and  co-workers  (2004)， 
insider  was  defined  as  including  “current,  former,  or  contract  employees  of  an  organization.” 
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not  cause  economic  loss.  However,  once  involving  losses,  the  average  sum 
could  reach  as  high  as  one  million.  The  primarily  endangered  interests 
are  of  private  sector,  even  though  the  threats  to  the  public  sector  have 
usually  been  given  more  concern.  The  guardianship  of  the  victims  is 
surprisingly  weak,  vulnerable  to  the  uncomplicated  cybercrimes.  The 
punishments  (both  imprisonment  and  fine)  against  cybercrime  are 
generally  light. 

The  limit  of  this  study  is  that  the  sample  cases  are  randomly  selected 
published  on  the  United  States  of  America  Department  of  Justice  web  site. 
They  could  be  regarded  as  typical  cybercrime  cases,  but  it  is  difficult  to 
say  whether  they  could  be  considered  the  representatives  of  the 
cybercrimes  happened  in  the  United  States.  Therefore,  this  study  is  an 
explanation  on  the  cases  as  “they  are.”  Sample  survey  is  usually  used  to 
give  a  sketch  for  the  scenario  of  the  whole  through  the  part,  but  this  study 
warns  careful  generalization  of  its  findings  to  the  related  items  of  all  the 
cybercrimes.  To  avoid  the  shortcomings  in  the  materials,  the  ideal  study 
should  cover  a  random  sample  in  a  wider  range  of  cases,  if  it  is  available. 
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CHAPTER  V  CYBERSTALKING 


Introduction 


In  my  research  on  motives  for  cybercrime,  I  conclude  that  curiosity  is  an 
overwhelming  psychological  power,  propelling  people  to  identify  the 
unidentified  and  to  manage  the  unmanageable,  or  to  demolish  the 
established,  and  to  deorganize  the  organized,  whether  in  the  macro  or  the 
micro  dimensions.  Information  systems  are  a  dimension  which  has 
developed  to  some  extent  under  the  dynamics  of  human  curiosity  and  has 
been  threatened  to  some  extent  by  this  force  (Li  2008,  p.  198). 

Curiosity  propels  people  to  acquire  new  knowledge  on  things  around 
us.  People  are  always  curious  for  good,  or  curious  for  bad.  Observing  is  a 
process  of  people  acquiring  fresh  understanding  from  outside  world.  With 
the  progress  of  civilization,  objects  of  observing  can  range  from  material 
world  to  spiritual  world,  from  macroworld  to  microworld,  and  from 
environment  to  human  beings  and  fauna  and  flora.  Everybody  was 
growing  in  all  conscience  obtain  perception  and  dexterity  by  perpetually 
observing.  Even  when  the  observed  person  became  unwilling  and  unhappy 
to  be  observed,  observation  could  hardly  be  suspected,  prevented,  or 
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denounced.  Conflicting  are  motives  of  those  who  want  to  reveal  and  that  of 
those  who  want  to  conceal.  When  the  observed  became  fearful  and 
distressed  that  their  or  their  family  members’  health,  wealth,  privacy  and 
spiritual  welfare  are  prone  to  suffer  losses  due  to  nettlesome  observing, 
they  perceive  a  parlous  stalking.  Thence  observation  was  classified  into  at 
least  two  categories:  wanted  harmless  observation  and  unwanted  harmful 
observation.  As  a  matter  of  fact,  stalking  has  long  been  a  known  activity  of 
an  obsessive  stalker  towards  a  distressed  stalkee.  Although  stalking  might 
have  had  a  long  history,  its  impact  attracted  broad  attention  in  recent 
several  decades. 

Stalking  can  be  defined  in  a  mixture  of  ways.  This  article  is  not 
intended  to  engage  in  disputation  on  issue  of  definitions,  even  though 
many  authors  may  not  agree  with  each  other,  or  agree  with  the  way  by 
which  this  article  deals  with  the  definition  question,  the  effect  of  which 
was  too  often  overestimated  by  too  many  authors.  Wikipedia  can  be  edited 
by  professional  or  amateur  authors,  comprehensively  defining  stalking  as 
“the  obsessive  following,  observing,  or  contacting  of  another  person,  or  the 
obsessive  attempt  to  engage  in  any  of  these  activities,  including  following 
the  person  to  certain  places,  to  see  where  they  live  or  what  the  person  does 
on  a  daily  basis,  it  also  includes  seeking  and  obtaining  the  person’s 
personal  information  in  order  to  contact  him  or  her  (2008a).  Many  writers 
claim  that  there  is  hardly  a  consensus  on  how  to  define  stalking,  in 
practice,  from  existing  literature,  it  is  clear  that  there  is  hardly  any 
dissension  on  its  fundamental  aspects.  Of  course,  if  it  is  to  make  some 
particular  comparison  for  the  purpose  of  defining  it  more  precisely, 
differences  can  be  found  between  them.  Yet  the  character,  occurrence,  and 
impact  of  stalking  are  only  currently  being  systematically  studied  (Mullen 
and  Pathe  2002,  p.  273)， and  legislation  has  not  been  prepared  until  1990 
in  main  western  countries  (Spitzberg  and  Hoobler  2002,  pp.  71-72). 
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It  seemed  that  shortly  after  traditional  stalking  had  been 
criminalized,  new  approaches  for  stalking  emerged  as  the  adoption  of 
some  high  technological  inventions  were  used  in  monitoring  people’s 
activities.  In  the  end,  what  happened  that  made  stalking  a  public  concern 
by  such  new  technologies?  Some  insist  that  cyberstalking  has  developed 
from  traditional  stalking,  while  others  claim  that  it  is  completely  different. 
Based  on  the  recognition  of  stalking  as  a  kind  of  long-existing  human- 
human  observation,  this  article  will  expatiate  on  recent  development  that 
can  be  expressed  as  from  traditional  stalking  to  cyberstalking  by 
presenting  particular  power  of  the  Internet  and  search  engines. 
Cyberstalking  is  the  exploitation  of  information  and  communication 
technological  methods  to  follow  other  persons  repetitively  to  cause 
displeasure,  annoyance,  distress  and  fear.  In  essence,  cyberstalkers  exploit 
information  and  communications  technology,  particularly  the  Internet  to 
harass  another  individual,  group  of  individuals,  or  organization,  including 
false  accusations,  monitoring,  the  transmission  of  threats,  identity  theft, 
damage  to  data  or  equipment， the  solicitation  of  minors  for  sexual 
purposes,  and  gathering  information  for  harassment  purposes  (Wikipedia 
2008b).  This  article  will  consider  a  conceptual  dilemma  revolving  around 
the  limit  between  acceptable  observation  and  unacceptable  stalking, 
through  reading  of  a  few  cases  and  laws.  This  article  will  also  consider  an 
emerging  phenomenon  that  stalking  is  being  socialized  through  the 
pervasion  of  online  social  network  services. 


The  Internet  makes  stalking  different 


The  development  of  information  and  communications  technology  (ICT)  is 
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powerful,  bringing  it  with  omnifarious  opportunities  for  individual  and 
enterprise  users.  Indicators  such  as  growth  of  the  number  of  personal 
computers  and  Internet  users,  the  increase  in  the  number  of  web  sites， 
Internet  hosts  and  web  pages,  bandwidth  growth,  the  growth  of  scale  of  e- 
commerce  and  e-governance  demonstrate  the  essential  reality  of 
development  (Li  2008， pp.  82-89).  Neither  people  connected  through 
information  system  might  necessarily  be  as  good  as  within  a  Weberian 
formally  rational  regime， nor  as  bad  as  in  a  Hobbesian  “war  of  all  against 
all”， nor  as  ideal  as  Platonian  Republic,  and  Moresian  Utopia  (Li  2006d). 
To  understand  the  essence  of  cybersecurity,  we  must  hold  a  standpoint  of 
a  relative  concept  (Li  2006a;  Li  2006b).  Vulnerabilities  of  the  information 
society  impend  over  the  horizon  of  society’s  aspiration  to  an  affirmative 
prospect  (Li  2008， pp.  89-111).  Cyberinsecurity  and  cybercrime  impose 
new  work  load  on  people  thinking  about  welfare  of  this  generation  (see  Li 
1992;  Li  1994;  Li  2006a;  Li  2006b;  Li  2006c;  Li  2006d;  Li  2006e;  Li  2007a; 
Li  2007b;  Li  2008). 

Internet  services,  such  as  e-mails,  are  also  abused  by  cyberstalkers  to 
send  text-， graphic-,  audio-  and  video-based  messages  to  the  e-mail 
account  of  the  intended  victim， transmitting  the  content  of  threatening, 
alarming,  or  harassing  (D’Ovidio  and  Doyle  2003， pp.  10-17).  Other 
Internet  services  can  also  be  exploited  by  cyberstalkers  to  harass  other 
users,  either  directly  or  indirectly.  An  example  of  direct  harassment  can  be 
found  when  stalker  sends  harassing  messages  to  a  targeted  victim.  An 
example  of  indirect  harassment  can  be  found  when  a  stalker  uses  the 
Internet  communications  to  obtain  a  potential  victim’s  personal 
information,  such  as  a  home  address  etc.， and  then  uses  the  information  to 
contact  by  other  means  (Internet  Crime  Forum  IRC  subgroup  2001， p.  11). 

Behind  all  the  good  that  information  and  communications  technology 
does  to  contemporary  society,  victims  of  stalking  have  been  confronted 
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with  a  lugubrious  process  of  cyberization.  With  the  increase  of  Internet 
users,  web  sites,  Internet  hosts,  web  pages,  bandwidth,  and  the  growth  of 
e-commerce,  society  is  transiting  from  the  process  of  urbanization  to 
cyberization,  taking  shape  an  information  supercontinent.  The  increasing 
significance  of  the  Internet  for  society  and  the  accumulated  threats  of 
abuse  draw  widespread  consideration  (Li  2008， pp.  82-89).  People  are 
stymied  by  their  increasing  dependence  on  information  and 
communications  technology  as  the  solely  dominant  instrument  in  their 
routine  activity.  Unimaginable  consequences  are  possible  when  abuse  and 
crash  of  the  systems  occur.  Cyberization  makes  it  easier  for  stalkers  to 
have  access  to  more  victims,  to  exhibit  more  pestering  by  more  means, 
through  more  routes  and  in  broader  spatial  distribution,  to  repeat  more 
times  of  same  nuisance,  to  last  for  a  longer  span  of  time  of  harassment， 
and  to  cause  more  serious  ill  effects.  Cyberized  stalking  threatens  a  great 
population  of  netizens， who  in  turn  cannot  get  rid  of  such  harassment  by 
merely  moving  from  one  country  to  another,  or  by  disconnecting 
him/herself  from  the  Internet. 

Stalking  can  be  one  of  the  examples  of  uncontrollable  networked 
activities,  engendered  by  many  factors  characterizing  the  cyberspace. 
Universal  access  to  the  networked  information  systems  can  have  both 
constructive  and  unconstructive  characters  in  terms  of  social  development 
and  social  control.  Constructive,  for  the  reason  that  the  society  is 
regrouped  by  the  networks,  which  are  accessible  for  larger  number  of 
societal  members.  Unconstructive,  for  the  reason  that  the  traditional 
social  networks  have  been  substituted  and  the  members  are  migrating  to 
and  participating  the  construction  of  new  networks  (Li  2008,  p.  91).  The 
powerlessness  of  the  old  order  and  the  deficiency  of  the  new  order  will 
generate  an  integration  vacuity,  to  be  articulated  in  the  appearance  of 
disorder  and  confusion,  for  a  course  of  disintegration  and  disorganization 
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can  be  foreseen  during  this  change  (see  Mowrer  1942;  Elliot  and  Merrill 
1961).  Potential  cyberstalkers  can  be  placed  under  weaker  surveillance 
while  potential  stalkees  can  be  placed  under  weaker  protection  in 
cyberspace  than  in  meat  space.  In  Cullen  v  White  [2003]  WASC  153  (3 
September  2003)， the  defendant  originally  published  a  number  of  postings 
in  a  discussion  forum  on  the  World  Wide  Web,  disparaging  of  a  university 
where  the  plaintiff  once  worked  and  a  number  of  people  whom  the  plaintiff 
had  known  there.  After  the  plaintiff  had  known  this,  he  wrote  to  the 
webmaster  to  urge  him  to  remove  the  postings.  The  webmaster  published 
the  plaintiff s  letter  on  the  discussion  forum  web  page.  Within  days  the 
university  where  the  plaintiff  was  then  studying,  began  to  receive  e-mails 
from  the  defendant  claiming  that  the  plaintiff  was  a  fraud.  Within  two 
months,  the  defendant  had  created  a  web  site  for  his  attacks  on  the 
plaintiff.  The  cyberspace  armed  the  defendant  with  electronic 
bombardment  of  fake  accusations  about  the  victim. 

Conventional  countermeasures  and  theories  about  crime  prevention 
were  based  on  its  material  influence  and  on  the  material  environment, 
although  non- material  factors  have  long  existed,  too.  Cyberspace  is 
developed  from  information  systems  as  an  abstract  space,  differing  from 
the  material  devices  of  information  systems  that  include  terminals  and 
cables.  It  is  invisible  and  intangible  if  compared  with  traditional  space 
(Khosrow-Pour  1998,  p.  440;  Robertson  2000,  p.  248;  Dodge  and  Kitchin 
2001， p.  81).  Stalking  occurring  in  cyberspace  leaves  no  directviewing 
traces  except  electronic  traces,  causes  no  directviewing  effects  except 
digitalized  effects,  and  leads  to  no  directviewing  detection  except  through 
computerized  detection.  Yet  it  harms  the  victim  living  in  the  real  space. 

In  addition,  the  process  of  online  stalking  has  low  controllability. 
Since  the  early  days  of  invention  and  use  of  the  computer  and  the 
Internet,  insufficient  efforts  have  been  made  to  exercise  control  over 
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conducts  facilitated  by  them.  Thus  the  idea  of  control  over  the  Internet  has 
been  located  in  an  extremely  embarrassing  position: 

“The  Internet  can  be  controlled  by  any  of  the  users  if  there  is  anyone 
trying  to  exercise  control  over  part  of  it;  but  it  cannot  be  controlled  by  any 
of  the  users  if  they  want  to  exercise  absolute  control  over  the  whole 
system.  The  low  controllability  by  one  means,  on  the  other  hand,  the  high 
possibility  of  control  by  many  others.  The  low  controllability  by  authorized 
users  means  the  high  possibility  of  control  by  unauthorized  uses.”  (Li 
2008,  p.  94) 

“The  impossibility  of  control  over  the  Internet  immunizes  individuals 
and  institutions  from  any  liability  for  the  omission  of  such  a  control. 
Under  these  circumstances,  neither  an  ex  ante  obligation  nor  an  ex  post 
liability  can  be  adhered  to  as  far  as  related  individuals  and  institutions 
are  concerned.  Thus  the  incentive  for  control  will  hardly  be  strong.”  (Li 
2008,  p.  96) 

From  Cullen  v  White,  we  can  see  that  once  stalking  takes  place， the 
victim’s  wish  of  stopping  the  spread  of  the  false  accusations  becomes 
problematic  before  they  are  clearly  identified， conflicting  the  popular 
position  of  free  information  and  the  legal  orientation  of  free  speech. 

Data  processed  and  transmitted  via  information  systems  can  also  be 
of  low  confidentiality.  In  principle,  it  is  required  that  protected  data  in 
information  systems  be  “obtained  and  processed  fairly  and 
lawfully”  (Council  of  Europe  Convention  for  the  Protection  of  Individuals  with 
Regard  to  Automatic  Processing  of  Personal  Data,  Article  5;  Directive  95/46/EC, 
Article  1  (a)).  Technical  and  organizational  measures  should  be  taken  to 
protect  personal  data  against  access  without  authorization,  manipulation, 
disclosure,  transfer  and  other  processing  without  legal  reason.  Besides 
general  protection  of  personal  data,  sensitive  personal  data  are  granted 


102 


special  safeguard  by  law.  Information  systems  are  usually  analogous  to  a 
place  with  unrestricted  freedom  and  where  the  information  is  less 
confidential.  Weak  technical  control  and  weak  human  control  are  the  main 
factors  that  expose  the  weakness  of  the  systems  (Li  2008， pp.  100-102). 
Under  such  circumstances,  information  about  netizens  can  easily  be  pried 
and  subsequently  exploited  by  potential  stalkers,  not  to  mention  general 
hackers. 

Furthermore,  anonymity  in  cyberspace  does  also  matter.  The  real 
identity  of  the  user  is  not  necessary  for  using  the  Internet.  In  the 
environment  of  online  communications,  particularly  during  interaction 
between  remote  strangers,  information  systems  provide  the  possibility  of 
maintaining  anonymity,  and  we  found  that  the  users  of  information 
systems  have  the  willingness  to  stay  passively  anonymous,  not  necessarily 
actively  lying  to  their  counterparts  (Li  2008， pp.  103-105).  In  the  case  of 
stalking,  a  stalker  can  sedulously  conceal  his/her  identity  while  revealing 
or  using  the  victim’s.  In  USA  v.  Erik  Bowker  (United  States  of  America, 
Plaintiff- appellee,  v.  Erik  Bowker,  Defendant-appellant,  United  States 
Court  of  Appeals  (Sixth  Circuit.  -  372  F.3d  365， Submitted:  March  10, 
2004  Decided  and  Filed:  June  11， 2004)， during  over  one  year,  the  stalker 
sent  a  number  of  emails  full  of  verbal  threats  relating  to  the  victim.  The 
emails  were  sent  from  several  different  email  addresses  and  purported  to 
be  from  an  individual  variously  identified.  After  an  FBI  Special  Agent  sent 
emails  to  the  various  email  addresses  on  the  correspondence  pertaining  to 
the  victim,  the  victim  began  receiving  hand-written  notes  from  a  person  of 
different  identity  almost  every  couple  of  days.  Even  worse,  after  the  victim 
more  to  a  new  location,  the  stalker,  with  different  identities,  sent  the 
victim  a  card  saying  that  his  letters  to  her  were  all  online  in  a  mail 
account  at  yahoo.com.  The  stalker  also  continued  to  attempt  telephone 
contact  with  the  victim,  146  telephone  calls  from  his  cell  phone  to  where 
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the  victim  worked  and  16  calls  to  the  victim’s  personal  residential 
telephone.  Knight’s  number  was  unlisted  and  unpublished.  While  the 
stalking  was  continuous  and  obsessive,  the  identity  of  the  stalker  reserved 
changed  and  concealed,  taking  FBI  agent  several  months  to  trace  back. 

It  is  necessary  to  point  out  that,  anonymity  does  only  not  cost  the 
victim  and  law  enforcement,  but  also  cost  the  perpetrator.  As  Ariz.  Rev. 
Stat.  §  13-2921  provides  that,  if  a  person  anonymously  or  otherwise 
contacts,  communicates  or  causes  a  communication  with  another  person 
by  verbal,  electronic,  mechanical,  telegraphic,  telephonic  or  written  means 
in  a  manner  that  harasses,  his/her  act  constitutes  the  offence  of 
harassment  (see  also  Ala.  Code  §  13A-11-8  (b)(1) a). 

The  Internet  and  the  World  Wide  Web  enable  to  broadcast  false 
accusations  and  induce  third  party  harassment.  The  stalker  might  publish 
malicious  postings  to  My  Space， Facebook， Craig’s  List  and  other  Internet 
social  sites,  disclosing  the  stalkee’s  personal  identity  information.  In  one 
case,  a  stalker  posed  himself  as  the  stalkee  and  distributed  Web  site 
invitations  to  visit  her  residence  for  sexual  gratification  (Office  of  the 
United  States  Attorney  Western  District  of  Missouri  John  F.  Wood  2008). 
Here  the  stalker  did  harms  to  the  victim  through  the  hands  of  many 
others.  Information  and  communications  technology  enables  abundant 
methods  for  spreading  malicious  usually  falsified  messages  using  falsified 
identity.  In  order  to  prevent  and  deter  similar  stalking,  newly 
implemented  laws  usually  criminalize  act  of  “causing  a  communication 
with  another  person  by  verbal,  electronic,  mechanical,  telegraphic, 
telephonic  or  written  means  in  a  manner  that  harasses”  (Wyo.  Stat.  §  6-2- 
506  (b)(i)). 

From  above  discussion,  a  natural  conclusion  can  be  drawn  that  new 
technologies  are  making  detection  of  stalking  harder  while  making 
operation  of  stalking  easier. 
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Human  flesh  search  engine:  enabling  the  unable 


Stalking  without  the  Internet  and  stalking  with  the  Internet  can  have 
similar  effects.  In  R.  v.  Goll  (Gill,  R  v  [1998]  EWCA  Crim  1061  (24th 
March,  1998)， No:  97/5998/Y4),  the  stalker  wrote  eight  letters  to  the 
victim,  containing  both  threats  and  expressions  of  the  way  the  stalker  felt 
attracted  to  her,  causing  her  and  her  family  a  great  deal  of  stress  and 
anxiety.  The  same  stalker  also  sent  65  letters  to  another  victim  in  the 
same  way. 

Cyber  stalking,  involving  the  repeated  and  persistent  attempt  by  one 
individual,  the  stalker,  to  harass  another  individual,  the  victim,  using  the 
Internet  or  other  open  network  (Burmester,  Henry  and  Kermes  2005),  can 
produce  the  same  effect  as  this  traditional  one.  Nonetheless,  cyberstalking 
can  have  many  different  characteristic s . 

Stalking  firstly  means  collecting  information  about  somebody  and 
his/her  whereabouts.  Down  the  ages,  process  of  information  collection 
becomes  increasingly  straightforward.  In  USA  v.  Devon  Lynn  Townsend 
(Cr.  No.  07-CR-1363-WJ,  Document  20.  Filed  06/29/2007)， during  1 1 
months,  the  defendant  from  New  Mexico  used  an  interactive  computer 
service,  and  a  facility  of  interstate  commerce  to  engage  in  a  course  of 
conduct  that  caused  substantial  emotional  distress  to  Mr.  and  Mrs. 
Chester  and  Talinda  Bennington  in  California  (pp.  5-6).  Over  the  course  of 
several  months,  the  defendant  was  able  to  access  all  sorts  of  private 
information  about  the  Benningtons  from  their  private  e-mail  accounts, 
including: 

“(a)  family  pictures  of  the  Benningtons  and  their  minor  children; 
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(b)  correspondence  between  Warner  Brothers  Records  and  the 
business  attorney  for  Linkin  Park,  including  a  copy  of  a  check  made 
payable  to  Chester  Bennington  from  the  record  company  as  well  as  a  copy 
of  the  recording  contract  between  Warner  Brothers  Records  and  the 
members  of  Linkin  Park; 

(c)  information  about  a  new  home  purchase  by  the  Benningtons  which 
included  such  documents  as  a  home  inspection  report,  images  of  the 
home’s  interior,  and  other  real  estate  documents; 

(d)  information  about  the  Benningtons'  travel  plans  including  flight 
information  and  the  name  of  motels  and  hotels  where  the  Benningtons 
had  reservations; 

(e)  a  copy  of  a  dental  bill  for  Talinda  Bennington; 

(f)  information  about  the  time  and  location  of  Mrs.  Bennington’s 
childbirth  classes; 

(g)  e-mail  correspondence  concerning  the  whereabouts  and  after 
school  activities  of  the  Benningtons’  child; 

(h)  information  about  purchases  the  Benningtons  made  for  their 
newborn  child; 

(i)  information  about  the  schedule  and  itinerary  of  the  members  of 
Linkin  Park,  including  their  itinerary  for  the  Grammy  awards  show  in 
2006”  (pp.  7-8). 

It  is  surprising  that  these  items  of  information  can  be  obtained 
through  the  powerful  function  of  search  engine,  which  is  termed  “renrou 
sousuo  yinqing”  in  Chinese  (literally  meaning  human  flesh  searching 
engine  in  English).  The  power  of  urenrou  sousuo  yinqing”  does  not  come 
from  anything  distinct  from  existing  search  engines,  but  from  mobilizing 
hundreds,  thousands  or  millions  of  Internet  users  to  participate  in,  to 
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concern,  to  search,  to  contribute  their  findings,  and  even  to  track  down  all 
the  way  into  target  person’s  company,  family,  house,  car,  mobile  phone,  e- 
mail  account  and  other  online  identity.  In  many  published  cases,  human 
flesh  search  mobilization  has  positively  assisted  to  identify  deviants  in  a 
more  efficient  way.  It  should  be  considered  valuable  for  law  enforcement  to 
reasonably  develop  and  use  such  an  approach.  At  the  same  time,  many 
people  are  worried  about  issues  such  as  disclosure  of  personal  privacy.  As 
far  as  malicious  search  is  concerned,  human  flesh  search  engine  can  be 
abused  in  stalking  and  harming  a  benign  party,  or  a  party  that  his/her 
deviant  behaviour  should  not  be  publicised  as  in  such  details. 

Usually,  traditional  and  electronic  methods  are  incorporated  in  real- 
life  stalking.  The  Internet  provides  stalkers  with  either  primary 
information  or  complementary  information  about  the  stalkee.  For 
example,  in  Johnson,  R  (on  the  application  of)  v  DPP  ([2005]  EWHC  3123 
(Admin)  (08  December  2005))，  the  stalker  used  direct  harassment, 
consisted  of  silent  telephone  calls  at  work,  home  and  on  the  victim’s  mobile 
phone;  following  her,  appearing  by  the  classroom  and  in  the  car  park; 
following  her  in  his  car,  causing  her  to  feel  scared  and  threatened; 
following  her,  swerving  in  front  of  her  and  braking  sharply,  in  order  to 
prevent  her  getting  past;  trying  to  drive  her  off  the  road.  The  stalker 
searched  home  addresses  of  various  people  called  the  same  name  as  the 
stalkee.  There  was  also  indirect  harassment,  consisted  of  a  barrage  of 
letters  to  the  victim’s  employers  questioning  her  professional  conduct  and 
fitness  to  teach  and  causing  internal  investigations  to  take  place.  The 
conduct  here  belongs  primarily  to  traditional  stalking,  but  there  is  also  the 
element  of  cyberstalking. 

The  incorporation  of  stalking  and  cyberstalking  can  well  illustrate 
the  similarities  and  differences  between  them,  and  sketch  the  evolution 
process  of  deviant  behaviours. 
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Information  and  communications  technology  created,  inter  alia, 
convenience  for  forming  of  large  online  social  networks,  which  are 
facilitated  by  websites  specialized  on  so-called  social  network  services. 
Social  network  services  convoke  groups  of  people  who  have  common 
experience,  or  share  common  interests,  or  even  participate  in  common 
activities.  Currently,  primary  social  network  services  are  provided  by 
websites  such  as  MySpace， Facebook， Friendster,  Hi5,  etc.  Emerging  social 
networks  can  be  viewed  as  a  double-edged  sword,  granting  curious  users 
greater  freedom  of  information  access  on  the  one  hand,  while  bringing 
about  more  threats  to  unprotected  netizens  on  the  other.  Indeed,  online 
social  network  services  change  traditional  stalking  into  a  socialized  lethal 
weapon:  collective  stalking,  organized  stalking,  industrialized  stalking, 
and  worldwide  stalking  become  a  near  reality. 


Searching  or  stalking:  an  ambiguous  limit 


It  is  necessary  to  discuss  an  issue  related  to  how  people  think  about 
information  about  them.  Some  information  can  have  greatly  different 
status  in  different  cultures,  different  industries,  and  different  uses. 

The  sensitivity  of  different  aspects  of  personal  information  differs 
from  one  (sub) culture  to  the  other.  For  example,  the  status  of  information 
about  one’s  age  can  range  from  absolutely  public  to  absolutely  private. 
When  people  meet  in  rural  Northern  China,  it  is  a  usual  practice  that 
people  exchange  information  about  each  other’s  name， age  and  family 
members.  There  is  hardly  any  taboo  subject  from  information  about  their 
personal,  family  and  professional  information,  including,  for  example, 
inability,  salary,  residence,  and  so  on.  Here,  age  is  public.  But  in  many 
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other  cultures,  age  is  more  or  less  a  taboo,  asking  one’s  age  being  a  coarse¬ 
grained  behaviour.  As  a  result,  people  from  a  culture  that  holds  age  public 
making  every  attempt  to  ask  one’s  age  from  a  culture  that  holds  age 
private  may  well  be  defined  as  a  kind  of  stalking. 

With  search  engine,  it  is  very  effortless  to  find  a  set  of  personal 
information  about  someone  you  are  unfamiliar  with,  particularly,  about 
celebrities.  Often  times,  such  information  can  be  as  detailed  from  their 
sex,  age,  education,  current  profession,  work  experience,  hobbies  and 
interests,  places  visited,  articles  and  books  published,  conferences 
participated,  or  even  residence,  and  their  family  members’  sex,  age, 
education  and  profession.  Such  information  can  be  collected  by  various 
“fans”， or  provided  by  people  themselves.  In  USA  v.  Devon  Lynn  Townsend 
(Cr.  No.  07-CR-1363-WJ,  Document  20.  Filed  06/29/2007)， the  defendant 
has  been  a  fan  of  the  alternative  or  nu  metal  band  Linkin  Park,  for  which 
the  stalkee  Chester  Bennington  is  the  lead  singer,  and  Talinda 
Bennington  is  Chester  Bennington’s  wife  (p.  6).  He  learned  a  lot  through 
the  Internet  about  Chester  and  Talinda  Bennington.  After  he  gained 
unauthorized  access  to  a  server  of  yahoo.com， he  hacked  into  Chester 
Bennington’s  personal  e-mail  account,  being  able  to  review  and  download 
all  of  Mr.  Bennington’s  private  e-mail  correspondence  there,  and  to  find 
out  about  Talinda  Bennington’s  e-mail  address  from  accessing  her 
husband’s  account  (pp.  6-7). 

Professor  is  in  no  way  a  star-like  profession,  yet  occasionally  some  of 
them  disclose  their  personal  information  in  details  as  those  stars  do.  Their 
original  intention  may  be  to  relate  such  information  to  their  academic 
proposition  and  they  think  their  information  will  interest  anyone  other 
than  colleagues  and  students.  Transmitted  from  academic  circles  to  other 
communities,  however,  such  information  can  become  source  of  stalking. 

Sometimes,  personal  information  is  published  on  some  media  for 
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public  use,  such  as  telephone  directory,  which  usually  collects  names, 
profession,  telephone  numbers,  residence  addresses,  websites,  and  even  e- 
mail  accounts.  Publishing  such  information  means  users  of  this  directory 
can  make  telephone  calls,  write  letters  or  e-mails,  visit  homepages,  and 
even  pay  visits  in  person  to  them.  Disputation  does  not  occur  about  the 
legal  nature  of  using  public  information,  but  occurs  about  who  can,  at 
what  time,  how  frequently,  and  for  what  purpose  one  can  use  such 
information.  Such  disputation  is  involved  particularly  when  it  happens 
that  difficult  is  to  judge  whether  an  act  is  normal  use  or  abnormal  use  of 
contact  information.  Some  stalking  laws  and  cyberstalking  laws  give 
unique  answers  to  provide  constituents  of  the  tort  or  the  offence.  For 
example,  Australian  Capital  Territory  Crimes  Act  1900  s34A  (see  also 
Northern  Territory  Criminal  Code  Act  1997  sl89  (1)， Queensland  Criminal 
Code  Act  1899  s359A  (7)， South  Australia  Criminal  Law  Consolidation  Act 
1935  sl9AA  (l)(a),  Victoria  Crimes  Act  1958  s2lA  (2))  provides  that 
stalking  shall  be  constituted,  on  at  least  two  occasions,  the  stalker 

“(a)  follows  or  approaches  the  other  person; 

(b)  loiters  near,  watches,  approaches  or  enters  a  place  where  the 
other  person  resides,  works  or  visits; 

(c)  keeps  the  other  person  under  surveillance; 

(d)  interferes  with  property  in  the  possession  of  the  other  person; 

(e)  gives  or  sends  offensive  material  to  the  other  person  or  leaves 
offensive  material  where  it  is  likely  to  be  found  by,  given  to  or  brought  to 
the  attention  of,  the  other  person; 

(f)  telephones  or  otherwise  contacts  the  other  person; 

(g)  acts  covertly  in  a  manner  that  could  reasonably  be  expected  to 
arouse  apprehension  or  fear  in  the  other  person;  or 
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(h)  engages  in  conduct  amounting  to  intimidation， harassment  or 
molestation  of  the  other  person.”  (subsection  (2)) 

And  with  intent  to  cause  the  following  effect: 

“(a)  apprehension  or  fear  of  serious  harm  in  the  other  person  or  a 
third  person;  or 

(b)  serious  harm  to  the  other  person  or  a  third  person.”  (subsection 

⑴） 

It  is  also  easy  to  find  in  stalking  laws  the  clear  illumination  about 
the  subjective  aspect.  New  South  Wales  Crimes  Act  1900  s562AB  provides 
that  “a  person  intends  to  cause  fear  of  personal  injury  if  he  or  she  knows 
that  the  conduct  is  likely  to  cause  fear  in  the  other  person.”  (subsection  (3)， 
see  also  South  Australia  Criminal  Law  Consolidation  Act  1935  sl9AA 
(l)(b)， Victoria  Crimes  Act  1958  s2lA  (3)) 

Queensland  Criminal  Code  Act  1899  s359A  clarifies  the  objective 
and  subjective  aspects  of  the  offence.  Besides， the  merit  of  this  law  is  that 
it  establishes  a  prerequisite  the  offence  of  stalking  to  be  constituted  that 
the  potential  stalkee  be  aware  of  the  stalking  is  directed  at  the  him/her, 
hence  he/she  can  (subsection  (l)(c)).  This  law  might  have  clarified  another 
significant  aspect  about  stalking  by  excluding  the  course  of  conduct 
engaged  in  for  the  purposes  of  a  genuine  industrial  dispute,  or  political  or 
other  public  dispute  or  issue  carried  on  in  the  public  interest  (subsection 
(4)).  Victoria  Crimes  Act  1958  s21A  (4)  detailedly  lists  exceptions  by 
pointing  out  conduct  engaged  in  by  a  person  performing  official  duties  for 
the  purpose  of  the  enforcement  of  the  criminal  law,  the  administration  of 
any  Act,  the  enforcement  of  a  law  imposing  a  pecuniary  penalty,  the 
execution  of  a  warrant,  or  the  protection  of  the  public  revenue.  Ala.  Code  § 
13A-11-8  (b)(l)b.  generalizes  such  a  prerequisite  as  an  act  (that  is  making 
a  telephone  call)  “with  no  purpose  of  legitimate  communication”. 
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However,  the  drawback  of  a  provision  in  Queensland  Criminal  Code 
Act  1899  s359A  is  located  in  its  subsection  (2)(b)， which  provides  that  “the 
first  person  intends  that  the  second  person  be  aware  that  the  course  of 
conduct  is  directed  at  the  second  person,  even  if  the  concerning  acts  or 
particular  concerning  acts  are  done  to,  or  to  the  property  of,  a  person  other 
than  the  second  person.”  The  clause  blurs  the  natures  of  a  harassing 
conduct  of  a  person  who  deliberately  makes  the  stalkee  aware  of  the 
conduct  and  a  harassing  conduct  of  a  person  who  deliberately  makes  the 
stalkee  unaware  of  the  conduct. 

Clarification  of  another  possible  misgiving  about  the  constitution  of 
stalking  may  refer  to  Alaska  Stat.  §  11.41.270  (b)(3)， which  provides  a 
definition  for  “nonconsensual  contact’’， as  “any  contact  with  another 
person  that  is  initiated  or  continued  without  that  person’s  consent,  that  is 
beyond  the  scope  of  the  consent  provided  by  that  person,  or  that  is  in 
disregard  of  that  person’s  expressed  desire  that  the  contact  be  avoided  or 
discontinued.” 


Conclusion 

Exploiting  new  technological  methods,  cyberstalking  poses  severe 
intimidation  to  netizens  who  are  told  that  cyberspace  could  enable  them 
many  things,  fast  and  efficiently,  in  the  information  age.  Shortly  after 
traditional  stalking  had  been  criminalized,  new  approaches  for  stalking 
emerged  as  the  adoption  of  some  high  technological  inventions  were  used 
in  monitoring  people’s  activities.  Based  on  the  recognition  of  stalking  as  a 
kind  of  long-existing  human-human  observation,  this  article  expatiates  on 
recent  development  that  can  be  expressed  as  from  traditional  stalking  to 
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cyberstalking  by  presenting  particular  power  of  information  and 
communications  technology  and  search  engines.  This  article  considers  an 
emerging  phenomenon  that  stalking  is  being  socialized  through  the 
pervasion  of  online  social  network  services.  Generally,  information  and 
communications  technology  makes  stalking  prevalent,  serious,  ubiquitous, 
and  socialized.  The  article  discusses  the  limit  between  reasonable  use  of 
information  and  legal  constitution  of  stalking. 
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CHAPTER  VI  UNSOLOCITED  COMMERCIAL  E- 
MAIL 


Introduction 


With  the  development  of  e-commerce  and  the  prevalence  of  the  Internet,  e- 
mail  has  become  the  primary  means  of  communications  and  marketing. 
Compared  with  the  traditional  marketing  tools,  e-mail  has  obvious 
advantages.  However,  the  abuse  of  e-mail  disturbs  the  normal 
communications  services,  and  influences  the  environment  for  the  public  to 
use  the  Internet.  The  reception  of  unsolicited  electronic  messages  and 
commercial  information  become  a  pervasive  social  and  economic  problem. 
The  difficulties  in  identifying  the  senders  and  in  compensating  the 
recipients’  losses  further  prove  the  uncontrollability  of  the  Internet. 
Spamming  impedes  the  effective  application  of  telecommunications  to  the 
individual  and  business  communication,  baffles  the  consumers*  acceptance 
of  legal  e-marketing,  and  in  turn,  hinders  the  growth  of  the  e-commerce. 
Many  individuals  and  institutions  are  making  efforts  to  seek  solutions  to 
the  problem  (for  example,  Coalition  Against  Unsolicited  Commercial 
Email,  1999;  Cobb,  2003;  Direct  Marketing  Association;  Federal  Trade 
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Commission,  1998,  2003;  Ferguson  &  Piragoff,  1997;  Gartner  Consulting, 
1999;  Gauthronet  &  Drouard,  2001;  Goodman  &  Rounth waite,  2004; 
Hansell,  2003;  International  Telecommunication  Union,  2004;  Khong, 
2001， 2004;  Midnet  Media,  2003;  Mail  Abuse  Prevention  System,  2004; 
Organization  of  Economic  Cooperation  and  Development,  2003， 2004; 
Peppers  &  Rogers,  2000;  World  Summit  of  Information  Society,  2003  and 
many  others).  In  order  to  ensure  the  convenience  of  the  Internet  use  and 
improve  the  security  and  efficiency  of  the  Internet  environment,  some 
countries  have  implemented  specific  legislation  to  regulate  spam;  the 
European  directives  required  the  member  states  to  incorporate 
commercial  e-mail  rules  in  the  provisions  on  privacy  and 
telecommunications.  Organization  of  Economic  Cooperation  and 
Development  (OECD)  called  for  legislation  and  international  cooperation 
in  combating  spam.  Based  on  documentary  analysis  and  empirical  study, 
this  Chapter  explores  the  threats  of  the  unsolicited  commercial  e-mail  and 
the  difficulties  in  dealing  with  the  problem,  analyzes  the  dilemmas  in 
combating  spam  under  the  present  legal  framework,  and  suggests  possible 
countermeasures. 


Background  and  definition  of  spam 


As  the  capability  of  computers  and  networks  to  process  information 
increases,  "a  wealth  of  information"  can  lead  to  a  "poverty  of  attention” 
(Simon,  1982).  Unsolicited  business  e-mail  (UBE)  or  unsolicited 
commercial  e-mail  (UCE)  represents  an  example  that  e-mail  users  have  to 
deal  with  the  superfluous  information  they  do  not  expect  to  consume.  It  is 
generally  called  bulk  mail  or  spam.  It  turns  out  that  spam  has  evolved  into 
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a  large  amount  of  information  garbage,  polluting  the  environment  of  e- 
marketing.  When  we  talk  about  the  phenomenon  of  spam,  we  are  talking 
about  a  negative  externality  in  e-marketing  that  people  try  to  get  rid  of.  It 
brings  about  the  negative  image  of  e-marketing,  frightening  e-mail  users 
from  trusting  the  e-mail  communications. 

Up  to  April  2005， the  population  of  global  e-mail  users  increased  to 
683  million,  with  almost  1.2  billion  lively  accounts.  The  e-mail  marketing 
has  been  regarded  as  one  of  the  most  successful  marketing  means  on  the 
Internet  (Niall， 2000).  Unfortunately,  with  the  increase  of  the  e-mail 
usage,  two  thirds  of  the  total  130  billion  messages  sent  and  received 
everyday  are  unsolicited  (Radical  Group,  2005). 

In  nature,  e-mails  can  be  a  kind  of  information  goods,  for  example， 
messages  provided  by  the  paid  subscription  services;  while  at  the  same 
time,  e-mail  can  also  be  a  kind  of  bads,  in  case  the  subscribed  paid 
information  are  harmful  to  general  public  or  to  specific  groups  or  a  certain 
person.  If  the  information  is  provided  free  of  charge,  it  becomes  an 
externality.  When  the  messages  are  useful,  they  are  positive  externalities; 
when  they  are  harmful,  they  become  negative  externalities.  Whether  they 
are  with  charge  or  without  charge  is  decided  by  the  sender;  but  whether 
they  are  useful  or  harmful,  is  decided  by  the  recipient. 

Nonetheless,  spam  sent  out  to  multiple  recipients,  blemishes  the 
name  of  e-mail  marketing  (Wreden,  1999;  Wright  and  Bolfing， 2001). 
Institute  of  Management  Technology  (IMT)  Strategies  (2001)  found  that 
the  e-mails  that  the  users  never  read  are  increasing,  and  the  consumers 
tend  to  constraint  or  interrupt  the  e-commercial  contacts.  Before  the 
universal  access  to  the  Internet  was  available,  the  e-mail  spam  was  really 
a  small  trouble.  But  today,  most  users  worldwide  are  confronted  with  this 
problem  nearly  everyday.  The  problem  has  increasingly  important 
influence  on  the  consuming  behaviors.  In  an  Info  World  article  (2003),  a 
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survey  disclosed  that  over  forty  percent  of  respondents  answered 
unsolicited  e-mail  as  the  worst  problem  in  the  field  of  information 
technology  industry  in  the  previous  year.  The  scale  and  effect  of  the  spam 
prevalence  implies  that  spam  has  become  ’’significant  and  growing 
problem  for  users,  networks  and  the  Internet  as  a  whole”  (World  Summit 
on  the  Information  Society  (WSIS)  Declaration,  2003,  paragraph  37). 

Most  people  have  some  unclear  awareness  that  spam  at  first  came 
from  the  ’’spam  skit  by  Monty  Python’s  Flying  Circus’’1  (Templeton,  2003). 
However,  according  to  Templeton  (2003)， the  history  of  spam  can  be  traced 
back  to  the  late  1970’s  with  a  number  of  network  services  that  were  sent 
multiple  mailings,  these  initial  group  mailings  were  not  considered 
annoying  and  as  a  result  they  got  the  chance  of  wide  online  spread 
(Templeton,  2003).  Kelly  (2002)  explored  the  history  of  spam  and  believed 
that  it  was  born  on  April  12， 1994.  We  can  also  reasonably  judge  that  it 
was  until  the  Internet  was  in  its  wide  usage,  when  unsolicited  e-mail 
posed  a  real  threat. 

The  consensus  on  the  definition  of  unsolicited  e-mail  is  nearly 
reached  among  academia,  legislature,  and  law  enforcement,  even  though 
the  actual  legal  practices  are  few.  Mail  Abuse  Prevention  System  (2004) 
defined  spam  as: 

"An  electronic  message  is  ’spam’  if:  (1)  the  recipient’s  personal  identity 
and  context  are  irrelevant  because  the  message  is  equally  applicable  to 
many  other  potential  recipients;  and  (2)  the  recipient  has  not  verifiably 
granted  deliberate,  explicit， and  still-revocable  permission  for  it  to  be  sent; 
and  (3)  the  transmission  and  reception  of  the  message  appears  to  the 
recipient  to  give  a  disproportionate  benefit  to  the  sender." 

Although  the  definition  of  e-mail  spam  only  denotes  to  the  sender  and 
recipient,  they  can  be  understood  as  covering  individuals,  organizations, 


120 


enterprises,  and  public  institutions.  It  is  a  common  concern  in  local, 
national,  and  international  layers.  During  the  Geneva  phase  of  the  World 
Summit  on  the  Information  Society， spam  was  identified  as  a  potential 
threat  to  the  full  utilization  of  the  Internet  and  e-mail  (International 
Telecommunication  Union,  2004). 

Classification  of  spam  is  vital  from  a  legal  standpoint,  because  most 
spam  legislation  targets  a  particular  type,  such  as  business  e-mails,  or 
deceptive  spam.  The  United  States  Federal  Trade  Commission  identified 
twelve  most  likely  spam  scams:  business  opportunity  scams,  making 
money  by  sending  bulk  e-mailing,  chain  letters,  work-at-home  schemes, 
health  and  diet  scams,  easy  money,  get  something  for  free,  investment 
opportunities,  cable  descrambler  kits,  guaranteed  loans  or  credits  on  easy 
terms,  credit  repair  scams,  and  vacation  prize  promotions  (Federal  Trade 
Commission,  1998). 

The  unsolicited  e-mail  being  a  central  concern,  spam  can  also  come 
from  other  sources,  such  as  newsgroups,  mobile  phones  Short  Message 
Service  (SMS)  and  instant  messenger  services.  The  legal  solution  to  these 
kinds  of  spam  is  possibly  in  common,  and  countries  have  laws  to  cover 
spam  of  these  and  other  forms  of  media,  but  this  Chapter  is  mainly 
concentrated  on  e-mail  spam. 


Comparison  between  traditional  and  e-mail  advertisements 


Besides  interpersonal  interaction  through  e-mail,  e-mail  has  also  broad 
usage  in  advertising  as  well.  What  accompanies  the  unsolicited 
commercial  e-mail  is  that  it  parallels  with  the  legal  advertisements,  that 
is,  e-mail  advertisements.  To  better  understand  the  phenomenon  of  spam 
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and  find  effective  preventive  mechanisms,  the  following  section 
contributes  to  compare  the  advantages  and  disadvantages  of  traditional 
advertisements,  particularly  postal  advertisements,  and  the  e-mail 
advertisements  (See  Table  4). 


Table  3  Comparison  between  traditional  advertisements  and  e-mail 
advertisements 


Compared 

Items 

Traditional 

advertisements 

i 

-mail  advertisements 

Public 

consciousness 

Familiar 

Unfamiliar 

Scope 

Indirectly  attention-  getting 

Direct  attention-getting 

Basis  of  trust 

Publicity 

Confidentiality 

Targeted 

audience 

Mainly  subscriber 

Mainly  non- subscriber 

Censorship 

Involving  intermediary 

censorship 

Lacking  intermediary 

censorship 

Costs 

High 

Low 

Form  of  trade 

Traditional  form  to 

traditional  form 

Electronic  form  to 

traditional  form  or 

electronic  form 

Sending  and 

reply  addresses 

Provided,  mostly  the  same 

Provided  or  not,  same  or 

different 

Receiving 

addresses 

Limited  territorial  range. 

The  wider  the  territorial 

Unlimited  territorial  range. 

Costs  independent  of 
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range,  the  higher  the  costs 

territorial  range. 

Jurisdiction  on 

disputes 

Easy  to  ascertain  according 

to  existing  laws, 

regulations  and  cases. 

Difficult  to  ascertain. 

Lacking  ready  laws, 

regulations  and  cases. 

Regulation  on 

spam 

Yes 

No 

Possibility  of 

regulation  on 

spam 

Easy 

Difficult 

Collection  of 

evidence  on 

spam 

Converse  investigation: 

from  consumer  to  registered 

or  licensed  intermediary 

and  advertiser. 

Difficult  to  investigate.  No 

such  registration  or  license. 

Deterrence  of 

punishment  on 

spam 

Strong 

Weak 

Possibility  of 

recommitment  of 

spamming 

Low 

High 

Effect  of  spam 

As  the  increase  of 

traditional  advertisements, 

advertisers  and 

intermediaries  better  off, 

while  recipients  better  off, 

or  no  change. 

As  the  increase  of 

unsolicited  e-mail 

advertisements,  advertisers 

and  intermediaries  better 

off,  while  recipients  will 

worse  off. 

The  e-mail  marketing  has  the  following  advantages: 
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•  (i)  Being  directly  attention-getting.  In  most  cases,  the  e-mail 
advertisements  are  similar  to  traditional  advertisements  in  the 
form  that  the  audience  are  not  strictly  divided  and  designated,  such 
as  the  advertisements  in  newspapers,  magazines,  radios,  TV 
programs,  outdoor  advertisements,  or  even  online  banner 
advertisement.  But  the  e-mail  marketing  has  the  high  potential  to 
provide  personalized  information  according  to  the  users'  different 
needs,  hobbies,  and  interests.  It  is  not  strange  that  a  professor 
receives  advertisements  on  conferences,  sales  of  books,  and  so  on; 
that  a  professor  of  economics  receives  more  specified  information  on 
conferences  on  economics,  sales  of  economic  books,  and  so  forth. 
Many  other  forms  of  advertisements  do  not  have  so  concentrated  an 
audience.  Peppers  and  Rogers’  study  (2000,  p  4)  discovered  that  the 
one  of  the  success  factors  enabling  the  e-mail  marketing  to  work 
well  is  ’’high  response  rates."  The  average  reply  rate  of  e-mail  is  5- 
15  percent  versus  1-2  percent  for  direct  mail  and  0.005-1  percent  for 
banner  advertising,  while  the  e-mail  marketing  creates  a  positive 
effect  on  branding  efforts  (Midnet  Media,  2003,  p.l). 

•  (ii)  Interactive  marketing.  The  e-mail  marketing  can  keep  more 
customers.  The  decrease  of  costs  and  timelines  permits  business  to 
communicate  with  customers  more  frequently.  Regular  e-mail 
marketing  to  existing  customers  generates  a  15-50  percent  increase 
in  overall  online  trade.  Engaging  customers  in  a  two-way  dialogue 
enhances  customer  satisfaction  and  yield  quicker  response  (C.f. 
Sandiego  Media  Inc.,  2005). 


•  (iii)  Confidentiality.  The  contents  of  e-mail  advertisements  are  not 
necessarily  confidential.  E-mail  is  not  in  itself  the  most  confidential 
form  of  communications.  But  for  a  certain  users  in  a  certain 
environment,  the  e-mail  marketing  is  like  a  consult  or  negotiation 
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in  a  closed  room.  What  the  user  decide  to  buy,  to  whom  the  user 
pays,  and  what  and  from  which  address  the  user  receives,  are  not 
directly  showed  to  anyone  else.  In  case  that  the  user  consumes 
digital  information,  the  e-mail  and  other  electronic  or  online 
marketing  might  be  the  most  suitable  means. 

•  (iv)  Low  cost.  The  e-mail  marketing  lowers  costs  and  increases 
profits.  The  e-mail  marketing  supplies  cost- saving  benefits， such  as 
no  printing,  mailing  or  media  expenditure;  allows  for  more  frequent 
customer  conduct,  which  turns  into  higher  income;  average  costs  of 
0.03  to  0.1  dollars  for  each  e-mail,  versus  2  dollars  for  direct  post 
and  up  to  3  dollars  for  telemarketing;  customer  acquisition  costs 
average  no  more  than  24  dollars  for  e-mail  versus  82  dollars  for 
public  relation,  958  dollars  for  print  advertisements,  and  1,457 
dollars  for  radio  advertisements  (Midnet  Media,  2003,  p.l). 

•  (v)  Diversified  forms  of  trade.  The  e-mail  marketing  serves  both 
traditional  and  digitalized  goods.  The  goods  are  usually  exhibited 
online.  For  traditional  goods,  though  the  electronic  exhibition  is  not 
as  intuitionistic  as  show  window,  or  door-to-door  marketing,  the 
multimedia  explanation  may  provide  more  comprehensive  a 
presentation  than  any  other  forms  of  marketing.  In  case  of  digital 
goods,  the  e-mail  marketing  has  the  unique  advantage  in  providing 
sample  texts,  and  audio  or  video  clips.  In  fact,  many  online  book 
stores,  music  and  video  dealers,  and  software  vendors  all  provide 
some  kinds  of  sample  to  show  their  goods.  The  e-mail  marketing  can 
directly  link  to  these  online  markets  and  goods. 

•  (vi)  Location  independent.  The  senders  and  the  recipient  of  e-mails 
are  both  location  independent.  The  senders  can  send  e-mails  from 
anywhere  of  the  world  to  recipients  located  anywhere  in  the  globe  (if 
they  are  not  outside  the  earth).  Trans-border  marketing  is  not 
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limited  by  the  national  boundary.  A  nearly  uncontrollable  route 
realizes  the  flow  of  goods,  particularly  digital  goods.  Even  if  it  is 
traditional  goods,  the  uncontrollable  information  might  also  cause 
the  traditional  control  of  trans-national  flow  of  goods  more 
burdensome.  All  in  all,  the  trans-territorial  flow  of  goods  can  benefit 
greatly  from  e-mail  marketing. 

•  (vii)  Advertisers  better  off;  and  intermediaries  might  also  better  off. 
As  a  natural  effect,  with  the  increase  of  e-mail  marketing,  the 
advertisers  will  surely  better  off.  The  voluntary  intermediaries  will 
also  better  off,  because  a  portion  of  the  profits  is  transferred  from 
the  advertisers  to  the  intermediaries. 

The  disadvantages  of  e-mail  advertisement  are: 

•  (i)  Most  people  are  less  familiar  with  e-marketing  than  traditional 
advertisements.  Less  people  are  more  familiar  with  e-mail 
marketing  than  traditional  advertising.  But  more  and  more  people 
are  more  familiar  with  the  new  advertisements  than  ever. 

•  (ii)  Targeting  both  subscriber  and  non-subscriber.  This  may  induce 
more  consumers,  but  may  also  annoy  e-mail  users.  In  fact,  different 
forms  of  traditional  advertisements  are  designed  to  different 
audience.  Some  forms  do  not  distinguish  subscriber  or  non¬ 
subscriber,  such  as  radio,  TV  and  outdoor  advertising.  But 
traditional  postal  marketing  mainly  targets  subscribers,  together 
with  newspaper  and  magazine  advertising.  With  e-mail 
advertisements,  the  businesses  can  limit  marketing  to  subscribers, 
but  can  also  extend  to  non-subscribers  in  order  to  get  more  profits. 
This  advantage  for  senders  becomes  the  greatest  disadvantage  for 
recipients. 
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•  (iii)  Lacking  intermediary  censorship.  Unlike  traditional 
advertisements  that  have  been  published  on  media  that  are 
managed  by  intermediaries,  the  e-mail  marketing  is  actually  direct 
marketing-  more  direct  in  the  sense  of  business-to-consumer,  but  at 
the  same  time  more  indirect  in  the  sense  of  no  longer  face-to-face. 
The  necessary  censorship  on  the  process  of  information  provision  is 
missing.  Subsequently,  the  transaction  process  is  also  less 
monitorable  and  less  controllable. 

•  (iv)  Sender’s  genuine  identity  and  displayed  information  might  be 
different.  The  falsification  of  sender’s  identity  and  address  might 
mislead  the  consumer  to  open  the  unsolicited  e-mail.  The  reply 
address  might  be  invalid  when  the  recipient  replies  to  refuse 
further  messages.  The  recipients  have  less  choice  in  deciding 
whether  or  not  to  receive  this  kind  of  e-mail. 


•  (v)  Lack  of  dispute  solution  mechanism.  The  possibility  of  regulation 
on  e-mail  marketing  is  law.  The  jurisdiction  over  disputes  is 
difficult  to  determine.  The  laws,  regulations,  and  rules,  particularly 
international  harmonization  are  not  ready.  In  addition,  collection  of 
evidences  is  confronted  with  great  obstacles. 

•  (vi)  Weak  deterrence  of  punishment  on  abuse  of  e-mail  marketing. 
The  spammers  have  high  possibility  of  recommitment,  motivated  by 
monetary  interests.  As  a  result,  the  recipient  might  worse  off  due  to 
absence  of  self-determination,  while  the  intermediaries  might  also 
worse  off  due  to  the  absence  of  profit  transfer  agreement. 

The  advantages  and  disadvantages  seem  more  and  more  beneficial  to 
the  senders  but  less  and  less  beneficial  to  the  recipients.  As  a  result,  the 
senders  have  the  stronger  incentive  to  send  more  marketing  e-mails,  while 
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the  recipients  have  the  stronger  to  receive  less.  The  overuse  of  e-mail 
marketing  by  the  businesses  will  lead  to  underuse  by  the  consumers. 


Challenges  of  spam  to  the  society 


The  advantages  of  e-mail  marketing  greatly  upgrade  the  utility  of  e-mail 
in  business.  Both  the  legal  and  illegal  commerce  discover  this  efficient 
instrument  in  harvesting  money  from  the  market.  The  following 
summarizes  a  list  of  common  challenges  of  legal  sense  that  the  spam 
brings  to  the  society. 

The  first  challenge  is  against  e-mail  recipients*  property  rights.  The 
spammer  infringes  the  property  rights  through  two  ways.  On  the  one 
hand， spammers  usually  transfer  the  cost  of  sending  bulk  e-mails  to 
others,  including  individuals,  e-mail  service  providers  (ESPs)  or  Internet 
service  providers  (ISPs),  for  example,  intrusion  others’  computers  or 
servers  to  send  e-mails,  or  evasion  the  reasonable  fees  payable  to  the 
service  providers.  On  the  other  hand,  spammers  usually  practice  fraud 
and  deception  in  spamming.  Spammers  disguise  the  origin  of  their 
messages  so  as  to  ensure  that  the  users  read  their  messages.  Federal 
Trade  Commission  (2003)  reported  that  66  percent  of  spam  messages  are 
fraudulent  in  the  "from"  or  ’’subject”  lines,  or  in  the  message  itself.  For 
example， if  the  subject  line  includes  the  term  such  as  ’’reply’’， ’’your 
required  information",  ” your  free  laptop’’， "free  travel  chances’’， etc,  it  is 
highly  possibly  that  the  users  will  open  the  e-mail  and  find  if  these  are 
valuable  messages.  As  for  the  contents,  many  unsolicited  e-mails  offer 
various  deceptive  or  misleading  representations.  The  most  common  fraud 
schemes  include  the  Nigerian  scam,  online  chances  of  making  money,  and 
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drugs  sales,  etc.  In  a  successful  detected  case,  the  FBI  in  the  United  States 
and  the  Spanish  police  arrested  310  people  who  were  the  Nigerian 
conspirators  of  a  bogus  lottery  scam  involving  100  million  Euros.  The  scam 
victimized  more  than  20,000  people  in  45  countries  (Libbenga,  2005). 

The  second  challenge  is  targeted  at  fair  trade.  Contents  of  most 
unsolicited  e-mails  involve  false  advertisements  or  situation  leading  to 
misunderstanding.  Due  to  the  facility  of  transfer,  such  e-mails  incorrectly 
relay  erroneous  information,  and  mislead  the  recipients  and  consumers  in 
the  bargaining.  Besides  the  breach  of  the  regulations  on  consumer 
protection  and  constitution  of  criminal  fraud,  the  false  advertisements 
might  distort  the  normal  market  of  goods  and  services,  harm  the  normal 
trade  order,  and  reduce  the  consumers*  confidence  (Taiwan  Ministry  of 
Transportation  and  Communications,  pp.  6-7). 

The  third  challenge  is  offending  public  morals.  Unsolicited  e-mails 
are  usually  not  targeting  specific  e-mail  users,  among  which  children  are 
highly  possibly  to  be  harassed.  Because  the  spam  messages  often  contain 
contents  inappropriate  for  children,  such  as  the  hyperlinks  of 
pornographic  websites,  pornographic  pictures,  and  adult  entertainment 
products  and  services,  the  pornographic  spam  has  become  a  public  risk  for 
the  growth  of  the  children.  From  the  pornography  industry  revenue 
statistics,  it  is  apparent  that  the  Internet-related  revenue  has  already 
reached  a  noteworthy  scale.  What  is  worse  is  that  the  average  age  of  first 
Internet  exposure  to  pornography  is  as  low  as  11  years  old,  and  90  percent 
of  the  children  between  8-16  years  old  have  viewed  pornography  online 
(TopTenReview， 2005). 

A  relevant  problem  is  that  in  some  East  Asian  and  Middle  East 
countries,  creating,  copying,  selling， and  spreading  pornography  might 
lead  to  arrest  and  conviction  (See  example,  Penal  Law  of  China  1997, 
Articles  363-367).  In  addition,  merely  possession,  and  browse  of 
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pornography  is  traditionally  prohibited.  The  unsolicited  e-mails  make  it 
difficult  to  judge  whether  the  existing  punishments  are  applicable  to  e- 
mail  users  who  passively  receive  and  ” keep”  e-mails  with  pornographic 
contents.  For  example,  Management  Regulations  on  Internet  Online 
Service  Business  Location  provides  that  the  manager  of  Internet  online 
service  business  location  and  the  Internet  users  must  not  create, 
download,  copy,  view,  release,  spread  or  use  by  other  means  the 
information  containing  obscenity  contents  (China  State  Council 
Management  Regulations  on  Internet  Online  Service  Business  Location 
2002,  Article  14). 

The  fourth  challenge  is  a  threat  to  cybersecurity.  The  security 
problems  brought  about  by  the  spam  generally  require  the  interaction 
between  the  users  and  the  messages.  The  large  volume  of  spam,  the 
malicious  programs  and  malicious  linkages  contained  in  the  messages  are 
the  main  threats  (PC  World,  2003).  In  recent  years,  many  of  the  most 
harmful  malicious  programs  have  been  spread  through  exploiting  e-mails. 

The  fifth  challenge  involves  personal  data  protection.  There  is  little 
exception  in  the  available  literature  and  legislation  on  spam  that  does  not 
emphasize  the  identity  theft.  Many  spammers  send  their  messages  by 
unauthorized  use  of  other  individuals  or  organizations’  accounts  (OECD， 
2004).  The  e-mail  addresses  harvesting  software  can  collect  this 
information  automatically  from  the  webpages  (Boldt， Carlsson  and 
Jacobsson,  2004， p.  8).  Therefore,  the  misuse  of  spamware  and  the 
collection  and  use  of  e-mail  addresses  are  among  the  focuses  of  the  legal 
regulation.  If  the  e-mail  address  includes  enough  information  to  identify 
the  user,  the  collection  and  use  of  such  an  e-mail  address  should  under  the 
consent  of  the  user.  Without  such  consent,  the  collection  and  use  of  the 
address  in  the  spamming  invalidate  the  privacy  protection. 
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The  sixth  challenge  is  comprehensive.  Besides  the  above  aspects, 
spam  is  also  involve  in  other  content-related  and  goods-related 
transgresses  and  offences.  The  examples  of  the  former  category  are  online 
piracy  of  intellectual  property,  spreading  of  malicious  programs  and  codes, 
defamation,  slander,  and  libel,  and  so  on.  The  examples  of  the  latter 
category  are  sales  of  controlled  goods,  such  as  drugs,  prescribed  medicine， 
and  weapons;  providing  services,  such  as  auction,  financing,  tourism, 
dating,  prostitution,  gaming,  gambling,  raffling,  bonus,  and  lottery. 

In  sum,  at  least  at  present,  the  ease  of  using  spam  to  offer  goods  and 
services  increases  the  volume  of  spam.  Sophos  statistics  showed  that 
global  spam  at  the  end  of  2004  has  reached  3  trillion  messages,  with  an 
estimated  cost  of  131  billion  dollars  (EquIP  Technology  and  Cipher  Trust, 
2004).  In  addition,  according  to  an  Industrial  Development  Corporation 
(IDC)  study,  worldwide  revenue  for  anti- spam  solutions  will  exceed  1.7 
billion  dollars  in  2008  (IDC,  2005). 


Costs  and  benefits  of  the  spammer  and  the  spammed 


1.  The  costs  and  benefits  of  the  sender 


Whether  the  spammer  send  the  spam  is  thought  by  economists  as 
controlled  by  "the  invisible  hand”2  of  interests.  According  to  Khong  (2004)， 
although  it  is  difficult  to  measure  the  costs  and  benefits  of  the  spammer,  if 
the  benefit  obtained  from  the  activity  outweighs  the  cost， then  the 
spammer  will  undertake  the  spamming  activity.  It  follows  that  if  there  is 
one  successful  commercial  transaction,  the  spammer  can  realize  his/her 
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benefit.  The  costs  that  are  involved  in  the  spamming  can  be  roughly 
estimated  in  the  following  aspects: 

First,  bandwidth  cost.  It  is  inevitably  to  involve  the  cost  of  bandwidth 
in  the  message  sending.  According  to  Living  Internet  (2005),  as  a  form  of 
communication  across  global  distances,  e-mail  is  relatively  the  cheaper 
way.  Based  on  a  very  conservative  cost  of  10  dollars  a  gigabyte  for 
bandwidth,  Living  Internet  showed  that  every  50  thousand  e-mails  cost 
one  dollar  in  bandwidth  costs.  That  is  to  say,  the  per  message  bandwidth 
cost  is  only  0.000020  dollars.  If  the  spammers  undertake  these  costs,  the 
monetary  investment  will  be  very  tiny  compared  with  the  possible  income 
from  the  spamming. 

Second,  costs  in  sending  message.  Besides  bandwidth  costs,  there  are 
also  other  costs  associated  with  sending  a  message.  This  is  usually 
measured  by  how  much  the  spammer  is  willing  to  do  the  spamming. 
According  to  Goodman  and  Rounthwaite  (2004)， the  higher  price  is  about 
0.001  dollars  per  message,  the  lower  price  is  about  0.000025  dollars  per 
message.  The  cheaper  charges  range  from  0.0001  to  0.0003  dollars  per 
message. 

Third,  to  obtain  users*  e-mail  address  may  also  involve  some  kinds  of 
costs.  But  the  actual  cost  may  depend  on  the  ways  in  which  the  addresses 
are  harvested.  According  to  Sadowsky,  the  spammer  can  obtain  users’  e- 
mail  address  in  the  13  situations  (Sadowsky  et  al.， 2003， p.  55).  But 
obviously,  the  most  convenient  and  least  expensive  way  is  to  harvest  e- 
mail  addresses  automatically  with  specific  software.  The  software  are  also 
available  from  Internet,  either  free  of  charge  or  with  an  inexpensive  price. 

Even  trickier,  the  revenue  of  spammer  from  sending  message  has 
been  found  high  in  a  few  studies.  Goodman  and  Rounthwaite  (2004)  cited 
the  following  information  in  clarifying  how  much  per  message  revenue 


132 


would  be.  They  cited  that  Grimes  (2003)  had  reported  one  person  had  had 
the  revenue  of  as  much  as  0.0005  dollars  per  message,  but  was  willing  to 
do  as  little  as  1,000  dollars  per  mailing:  as  little  as  0.0000125  dollars  per 
message.  Other  information  they  cited  was  from  a  Wall  Street  Journal 
article,  reporting  that  a  person  obtained  360  dollars  or  sending  10  million 
messages,  around  0.000036  dollars  per  message  (Moran,  2002). 

The  above  information  indicates  that  the  costs  of  the  spammer  are 
increasingly  low,  while  the  revenue  is  increasingly  high.  Hansell  (2003) 
found  that  compared  to  the  cost  of  190,000  dollars  for  one  million 
conventional  bulk-rate  postal  mails,  the  marginal  cost  of  sending  a 
marketing  message  to  one  million  recipients  by  electronic  mail  is  less  than 
2,000  dollars.  He  estimated  that  commercial  e-mail  is  profitable  if  one 
recipient  in  100,000  makes  a  purchase.  The  fact  that  the  spam  can  be  sent 
at  very  low  cost  and  in  a  great  quantity  has  attracted  direct  marketing 
companies  to  use  spam  e-mails  for  advertisement.  Cobb  (2003， p.2) 
suggested  the  concept  of  ” the  parasitic  economics  of  spam,”  meaning  that 
the  act  of  sending  a  message  costs  the  sender  less  than  it  costs  all  other 
parties  impacted  by  the  sending  of  the  message.  In  reality,  some 
spammers  pay  nothing  for  sending  their  messages,  hijacking  resources 
that  belong  to  others. 


2.  The  costs  and  benefits  of  the  spammed 


The  costs  induced  by  the  spam  to  the  spammed  have  a  wide  coverage. 
They  include  the  waste  of  the  users1  time,  bandwidth  and  storage,  cost  of 
anti- spam  solution,  and  cost  of  overloading  at  the  mailbox. 

First,  the  topic  of  whether  the  waste  of  time  in  dealing  with  the  spam 
is  disputable.  Spam  messages  are  annoying  in  that  the  users  have  to 
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spend  time  and  money  dealing  with  them.  In  daily  life,  some  people  argue 
that  they  know  e-mail  well  and  it  is  easy  to  identify  spam  messages  from 
useful  e-mails.  Even  if  there  are  some  bulk  mails,  the  user  needs  only  a 
few  seconds  to  browse  the  address,  subject,  content,  signature,  etc  in 
making  a  judgment.  To  delete  them  is  also  not  so  complicated.  They  doubt 
how  the  problem  can  be  so  serious  and  so  wasteful.  In  fact， meeting  with 
messages  well  falsified  in  address  and  subject  lines,  the  user  is  impossible 
to  judgment  whether  this  is  a  spam  or  a  message  from  a  contact.  When  the 
message  is  open,  the  user  has  to  browse  the  contents  and  signature  to 
make  the  final  decision.  If  the  message  begins  with  information  of  his 
interests,  the  users  have  to  spend  yet  more  time  to  decide  whether  or  not 
to  delete  the  message.  The  average  time  and  money  lost  in  processing  a 
single  message  might  not  be  so  significant.  But  the  aggregate  loss  of  time 
and  money  in  aggregate  taken  in  dealing  with  these  messages  might  be 
huge. 

The  time  the  users  spend  on  dealing  with  spam  messages  can  be 
quantified  in  a  way  of  counting  numbers  of  messages  the  users  receive 
everyday,  and  the  time  spent  on  making  judgment  on  whether  the 
messages  are  spam  and  deleting  them.  In  some  services  companies,  the 
treatment  of  these  messages  needs  special  care  so  as  not  to  ignore  the 
customers*  requests,  complaints,  and  business  communications.  EquIP 
Technology  and  Cipher  Trust  (2004， p.l)  found  that  the  average  e-mail 
user  receives  up  to  70  e-mails  a  day.  According  to  Zeller  (2005)， a 
December  2004  survey  suggested  that  Internet  users  spend  an  average  of 
10  working  days  per  year  dealing  with  spam,  and  at  least  some  industry 
analysts  estimated  that  the  yearly  cost  of  spam  to  business  due  to  lost 
productivity  and  additional  network  maintenance  costs  will  be  around  50 
billion  dollars. 
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Second,  spam  also  induces  costs  of  the  bandwidth  and  storage.  Khong 
(2001)  pointed  out  that  in  addition  to  the  losses  of  the  users,  the  spam  also 
has  great  impact  on  e-mail  service  providers  (ESPs).  The  European  Union 
estimated  the  global  bandwidth  costs  of  spam  at  8-10  billion  dollars 
annually  (EquIP  Technology  and  Cipher  Trust,  2004， p.  2).  The  potential 
threats  might  even  severe  to  cause  an  ESP’s  network  to  shut  down 
(Goodman,  2000).  The  interruption  of  services  is  unfortunate  for  both  the 
providers  and  users  in  causing  business,  confidence,  and  other  losses. 

Third,  the  influx  of  spam  has  caused  many  people  and  organizations 
to  deploy  some  form  of  anti-spam  solution.  A  European  Commission  study 
estimated  that  the  costs  associated  with  these  solutions  might  come  up  to 
10  billion  euros  per  year  worldwide  (Gauthronet  &  Drouard,  2001). 
Gartner  Consulting  (1999,  p.  4)  found  that  the  longer  an  e-mail  user  kept 
an  e-mail  account,  the  more  likely  he  would  be  spammed.  It  indicates  that 
spam  is  a  more  severe  threat  to  the  established  users  than  the  new 
comers,  and  a  more  severe  threat  to  the  users  more  dependent  than  the 
users  less  dependent  on  e-mail.  That  is  to  say,  the  more  possible  the  users 
benefit  from  the  e-mails,  the  more  possible  they  bear  losses  from  spam. 
The  increased  profits  of  the  spammer  are  just  based  on  the  increased  loss 
of  the  spammed.  It  is  reasonable  to  deduce  that  the  spamming  business 
would  growth  in  pace  with  the  development  of  the  e-commerce. 

Finally,  another  side  effect  of  the  spam  is  that  it  corrupts  e-mail 
services,  fills  up  users’  mailbox  with  useless  information,  and  decreases 
the  usefulness  of  the  e-mail  service.  Even  worse,  if  the  e-mail  address  has 
ever  been  put  on  the  institution’s  website,  or  personal  homepage,  it  is 
highly  possibly  that  the  address  will  be  harvested,  sold,  and  abused  by 
spammers.  Under  these  circumstances,  the  number  of  spam  messages 
might  increase  in  an  unexpected  pace.  I  keep  an  e-mail  address  provided 
by  a  high  profile  website.  It  has  been  put  to  the  Internet  for  a  few 
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occasions.  Recently,  the  average  number  of  spam  messages  per  day  may 
reach  one  hundred.  Although  the  fortunate  bulk  mail  prevention  function 
by  the  provider  works  well,  and  most  bulk  mails  are  automatically  put  into 
the  specific  folder， sometimes,  it  is  inevitable  that  useful  messages  are  also 
identified  as  spam,  and  the  inbox  is  still  filled  with  dozens  of  spam 
messages  everyday.  Most  of  the  spam  messages  can  really  be  judged 
through  the  subject  or  address  lines.  To  delete  them  needs  a  few  seconds 
everyday.  The  most  annoying  is  that  it  is  really  difficult  to  look  for  the 
useful  messages  from  dozens  of  useless  messages  received  unexpected.  The 
final  solution  is  to  notice  the  contacts  the  change  of  the  address. 

In  fact,  from  the  analysis  above， we  can  identify  nothing  useful  and 
beneficial  to  the  spammed.  They  undertake  pure  losses， not  only  the 
monetary,  but  also  the  psychological. 


The  limitation  of  technological  and  market  solutions 


The  technical  solutions  to  spam  involve  complicated  mechanisms,  which 
are  not  the  primary  concern  of  this  Chapter.  But  the  main  means  are 
filtration  and  blacklist.  The  former  is  used  to  filter  the  sources,  headers, 
and  content.  The  latter  is  used  to  mark  the  refused  IP  addresses.  Practices 
proved  that  the  technical  filtration  often  misjudges,  deletes， and  blocks  the 
useful  and  legal  e-mails,  and  incapable  to  effectively  stop  sending  of  spam 
from  the  sources.  At  the  same  time,  the  technical  solution  also  has 
influences  on  the  transmission  of  the  e-mail  service  providers  and  the 
terminals  (Taiwan  Ministry  of  Transportation  and  Communications,  p. 
13).  It  is  also  possible  that  the  recipient  install  filtering  software  to 
prevent  spam.  But  it  is  still  less  effective. 
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In  the  meanwhile,  spam  technology  and  anti-spam  technology  are 
competing  in  contesting  with  the  market.  The  technical  capacity  of  tracing 
spam  source  is  always  limited  (Taiwan  Ministry  of  Transportation  and 
Communications,  p.  14).  Besides  the  economic  incentive  in  spamming  and 
the  technical  limitation  in  anti-spamming,  the  issue  is  worsened  by  the 
extra  costs  of  the  service  providers  on  improving  computing  ability  to  filter 
the  spam,  and  the  potential  risks  of  misjudgment  and  breach  of 
constitution.  If  there  is  no  legal  warrantee  and  liability,  the  possible 
technical  solutions  might  also  be  discarded.  The  technical  solution  could 
be  effective  only  when  certain  legal  basis  is  ready  to  divide  the  risks 
between  the  senders,  the  service  providers,  and  the  recipients. 

Given  the  technological  solution  is  not  the  unique  way;  the  legal 
regulations  on  spam  are  further  justified  by  the  limitation  of  non-legal 
solutions.  The  following  analyzes  the  disadvantages  of  the  non-regulatory 
measures. 

Theoretically,  the  prohibition  of  spam  could  be  integrated  into 
regulations  on  the  protection  of  consumers'  rights.  But  the  traditional  laws 
can  at  most  extend  privacy  protection  to  the  activities  of  misuse  of  mail 
lists  according  to  the  personal  data  protection  law,  such  as  in  Taiwan. 
However,  this  protection  is  limited  to  eight  industries  and  cannot  provide 
complete  protection  for  consumers  (Taiwan  Ministry  of  Transportation  and 
Communications,  p.  6). 

Self-regulation  is  practiced  by  various  coalitions  of  anti-unsolicited  e- 
mails.  The  goal  of  these  coalitions  is  focused  on  that  the  consumers  enjoy 
the  right  to  accept  or  refuse  the  bulk  mails,  and  that  the  Internet 
resources  and  privacy  should  be  sufficiently  respected.  The  awareness  of 
the  consumers,  website  managers,  and  the  Internet  service  providers 
helps  to  take  coherent  actions  in  combating  spam,  and  enhancing  the 
quality  of  Internet  services. 
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Observing  the  current  situation,  we  can  find  that  the  consumers1 
protection  and  self-regulation  mechanisms  are  both  less  effective  as  well. 
On  the  contrary,  the  problem  of  spam  is  growing  more  serious.  Therefore, 
clear  rules  are  needed  to  define  the  scope  of  the  spam  and  offer  suitable 
punishment,  neither  throttling  e-mail  as  an  e-marketing  tool  nor  leaving  it 
as  it  is. 


Legal  regulations  on  spam 


1.  Basic  approaches  within  the  legal  framework:  opt-in  vs.  opt-out 


In  dealing  with  spam,  various  technological  solutions  are  being  created, 
used,  and  proved  to  be  less  effective.  As  a  necessary  remedy  of  the  problem 
of  the  spam,  legal  framework  must  also  be  used  to  fight  against  spammers. 

The  first  step  in  taking  a  legal  action  is  to  consider  whether  the 
consent  of  the  address  owner  should  be  obtained  prior  to  the  sending  of  the 
spam  message.  If  the  prior  consent  is  necessary,  the  method  is  called  "opt- 
in".  If  the  prior  consent  is  not  required,  the  method  will  be  ”opt-out". 


The  opt-in  mode  fully  takes  care  of  the  free  will  in  receiving 
messages.  Through  receiving  e-mails,  the  recipients  can  acquire  certain 
information.  But  the  privacy  of  the  recipients  and  the  consumers  must  be 
taken  into  account.  The  right  of  privacy  is  now  widely  recognized  and 
protected  in  constitutions  and  laws  worldwide.  Remedies  for  infringement 
of  this  right  have  also  implemented  through  civil  law  or  criminal  law.  Any 
potential  threats  to  the  privacy  should  be  considered  in  advance  of  the 
activities.  The  opt-in  mode  might  better  serve  this  goal  in  the  information 
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age.  Opt-in  mode  is  adopted  in  Australia,  China,  and  the  European  Union 
(for  example  in  the  United  Kingdom).3 

With  Directive  2002/58/EC,  the  European  Union  has  adopted  an  "opt- 
in"  approach  for  commercial  communications  by  e-mail.  The  Article  13  of 
the  Directive  titled  ” Unsolicited  communications^  provided  that: 

"The  use  of  automated  calling  systems  without  human  intervention 
(automatic  calling  machines),  facsimile  machines  (fax)  or  electronic  mail 
for  the  purposes  of  direct  marketing  may  only  be  allowed  in  respect  of 
subscribers  who  have  given  their  prior  consent.’’ 

However,  Article  13.2  also  leaves  an  open  door  for  a  kind  of  special 
opt-out  choice: 

"Where  a  natural  or  legal  person  obtains  from  its  customers  their 
electronic  contact  details  for  electronic  mail,  in  the  context  of  the  sale  of  a 
product  or  a  service,  in  accordance  with  Directive  95/46/EC,  the  same 
natural  or  legal  person  may  use  these  electronic  contact  details  for  direct 
marketing  of  its  own  similar  products  or  services  provided  that  customers 
clearly  and  distinctly  are  given  the  opportunity  to  object,  free  of  charge 
and  in  an  easy  manner,  to  such  use  of  electronic  contact  details  when  they 
are  collected  and  on  the  occasion  of  each  message  in  case  the  customer  has 
not  initially  refused  such  use.” 

Article  13.3  explicitly  limits  the  use  of  unsolicited  communications  for 
purposes  other  than  direct  marketing.  They  are  not  allowed  either  without 
the  consent  of  the  subscribers  concerned  or  in  respect  of  subscribers  who 
do  not  wish  to  receive  these  communications,  the  choice  between  these 
options  to  be  determined  by  national  legislation.  This  provision  ensures 
the  effective  opt-out  in  cases  the  users  choose  to  interrupt  the  subscription 
after  either  opt-in  or  limited  opt-out. 
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The  general  requirements  in  sending  commercial  e-mails  are  by  the 
way  of  ensuring  the  real  identity,  and  address.  Article  13.4  of  the  Directive 
prohibits  the  "disguising  or  concealing  the  identity  of  the  sender  on  whose 
behalf  the  communication  is  made,  or  without  a  valid  address  to  which  the 
recipient  may  send  a  request  that  such  communications  cease. ’’ 

The  Article  13.5  of  the  Directive  further  provides  that  the  subscriber 
in  provision  about  the  definition  of  unsolicited  communications  and  the 
limited  opt-out  provision  shall  apply  to  natural  persons.  But  it  requires 
the  Member  States  to  sufficiently  protect  the  legal  interests  of  other 
subscribers. 

The  Directive  helps  to  establish  a  legislative  model  within  the 
framework  of  the  European  Union.  Opt-in  approach  has  been  adopted  in 
most  EU  Member  States,  and  is  under  consideration  in  some  other 
countries  (Sipior， Ward  and  Bonner,  2004， p.  62).  Under  the  opt-in 
approach,  the  burden  is  on  the  senders  to  offer  the  ”opt-in”  option.  For  the 
e-marketing  as  a  whole,  in  the  case  of  sending  in  goodwill,  the  user  can 
save  time  and  costs  in  processing  the  irrelevant  messages.  In  the  case  of 
sending  mala  fide,  the  recipients  can  prevent  in  advance.  The  main 
advantages  of  opt-in  e-mail  services  are  timeliness,  convenience,  and 
control. 


Compared  with  the  opt-in  mode,  the  opt-out  mode  considers  the 


difficulty  of  the  industry  in  acquiring  the  users*  written  consent.  If  the  use 
of  such  information  were  prohibited,  the  industries  of  financing  service, 
direct  marketing,  and  customer  credit  would  be  directly  impacted.  The 
advantage  of  the  opt-out  mode  than  written  consent  is  that  it  can  balance 
the  personal  privacy  and  right  of  individual  consumer,  offering  the 
opportunity  for  consumers  to  express  their  will  on  whether  or  not  to 
receive  specific  category  of  e-mails.  The  opt-out  mode  is  adopted  in 
Canada,  Japan,  South  Korea,  Singapore,  Taiwan,  and  the  United  States.4 
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In  the  North  America,  the  United  States  CAN- SPAM  Act  superseded 
more  than  30  state  laws  covering  spam.  The  legislation  adopts  an  opt-out 
approach  under  strict  limitations.  Section  5  of  the  Act  provides  the 
requirements  for  transmission  of  messages: 

1.  Prohibition  of  false  or  misleading  transmission  information.  The  Act 
outlaws  sending  commercial  e-mail  message,  transactional  or 
relationship  message  with  header  false  or  misleading  information  to 
a  protected  computer  (Section  5  (1)).  Even  if  the  header  information 
is  "technically  accurate’’， including  the  originating  e-mail  address, 
domain  name,  or  IP  address,  but  when  they  are  obtained  by  means 
of  false  or  fraudulent  pretences  or  representations,  they  are 
regarded  as  "materially  misleading”  (Section  5  (1)(A)).  If  the  sender 
” knowingly  use  another  protected  computer  to  relay  or  retransmit 
the  message"  in  order  to  disguise  the  origin,  the  header  information 
shall  be  regarded  as  ” materially  misleading”  (Section  5  (1)  (C)). 

2.  Prohibition  of  deceptive  subject  headings.  The  Act  outlaws  sending 
commercial  message  if  know  or  should  know  that  "a  subject  heading 
of  the  message  would  be  likely  to  mislead  a  recipient,  acting 
reasonably  under  the  circumstances,  about  a  material  fact 
regarding  the  contents  or  subject  matter  of  the  message” （Section  5 
⑵). 

3.  Prohibition  of  omitting  return  address  or  comparable  mechanism 
(Section  5  (3)).  The  Act  outlaws  sending  commercial  e-mail  message 
without  displaying  ”a  functioning  return  electronic  mail  address  or 
other  Internet-based  mechanism"  (Section  5  (3)  (A)).  The  Act  further 
requires  that  the  return  address  or  other  mechanisms  can  be  used 
by  a  recipient  to  opt-out  by  the  way  designated  in  the  message 
(Section  5  (3)  (A)  (i)).  The  return  address  must  be  available  for  "no 
less  than  30  days"  after  sending  the  message  ((Section  5  (3)  (A)  (ii)). 
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4.  Prohibition  of  transmission  of  commercial  electronic  mail  after 
objection.  In  the  case  of  opting  out  by  a  recipient,  then  sending  e- 
mail  more  than  10  business  days  after  the  receipt  of  such  request  is 
unlawful  (Section  5  (4)). 

5.  Inclusion  of  identifier,  opt-out,  and  physical  address  in  commercial 
electronic  mail  (Section  5  (5)). 

The  effective  opt-out  mechanism  should  be  ’’sending  once， and 
identifying  once. ’’  It  means  that  the  messages  are  sent  to  the  recipients 
only  once  if  the  recipients  do  not  receive  such  messages  any  longer,  and 
the  recipients  need  to  identify  the  same  source  of  the  same  messages  only 
once  before  he/she  decide  to  refuse  or  subscribe  it.  Under  such 
circumstances,  mode  of  the  users  searching  information  changes  to  the 
mode  of  the  users  judging  whether  the  coming  information  is  valuable. 
Thus  it  is  less  wasteful  for  both  the  senders  and  recipients,  if  the  senders 
are  sending  the  information  in  goodwill. 

The  disadvantage  of  this  approach  is  that  it  increases  the  costs  of 
processing  information  in  distinguishing  those  useful  from  useless, 
wasting  work  time， human  resources,  and  money.  For  overall  comparison 
of  these  two  means,  see  Table  2  below. 


Table  4  Comparisons  between  Opt-in  and  Opt-out  (Hong  Kong  Information 
Security  Website,  2005) 


Approaches  Advantages 

Disadvantages 

Opt-in 

Burden  on  senders  to 

offer  opt-in  option. 

Recipients  save  time  and 

costs  in  processing 

irrelevant  messages. 

Malpractice  of  some  traders. 

Lead  to  insufficient,  asymmetry 

information,  and  increase  costs  of 

information  searching.  Malicious 

senders  join  the  mail  lists,  and 
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Recipients  prevent  spam 

in  advance. 

send  more  specialized  spams. 

Opt-out 

Burden  on  recipients  to 

inform  opt-out.  Sending 

once,  identifying  once. 

Information  searching 

changes  to  information 

selecting. 

Opt-out  becomes  confirmation  to 

spammer.  Cost  of  processing 

information  increases. 

The  distinction  between  opt-in  and  opt-out  modes  is  easy  to  make. 
But  in  the  case  of  opt-out  mode,  there  exist  a  special  case  that  needs  a 
special  legal  answer.  If  the  recipient  of  the  opt-out  e-mail  sends  back  the 
message  with  selected  items  that  he  consents  to  receive  or  refuses  to 
receive  further  e-mails,  it  is  purely  the  purpose  of  opt-out.  The  recipient 
bears  the  expenses  involved  in  the  process.  But  if  the  recipient  does  not 
reply  to  the  opt-out  offer,  the  judgment  of  whether  the  recipient  is  willing 
to  receive  further  e-mail  cannot  be  made  without  an  explicit  legal 
provision.  The  law  must  give  an  indubitable  answer. 

2.  Regulated  scope  of  unsolicited  message 


The  contents  and  categories  of  regulated  unsolicited  message  vary  among 
countries  from  each  other.  In  the  aspect  of  the  contents  of  the  regulated 
unsolicited  message,  countries  generally  target  at  commercial 
communications,  such  as  in  Australia,  Japan,  Korea,  the  United  Kingdom, 
and  the  United  States.  The  Australia  Act  on  Unsolicited  Electronic 
Information  2003  applies  to  ’’commercial  electronic  message,”  unless  it  is 
exempted.  The  Korea  Act  on  Promotion  of  Information  and 
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Communication  and  Communications  Network  Utilization  and 
Information  Protection  of  2001  defines  unsolicited  messages  to 
advertisement  information  for  the  purpose  of  earning  profit  or  commercial 
advertisement.  The  United  Kingdom  Privacy  and  Electronic 
Communications  (EC  Directive)  Regulations  2003  applies  to  e-mail  sent 
for  the  purpose  of  direct  marketing.  The  United  States  CAN- SPAM  Act 
defines  "commercial  electronic  message”  as  ’’any  electronic  mail  message 
the  primary  purpose  of  which  is  the  commercial  advertisement  or 
promotion  of  a  commercial  product  or  service  (including  content  on  an 
Internet  website  operated  for  a  commercial  purpose). M  (Section  3  (2))  Hong 
Kong  Bill  against  Unsolicited  Electronic  Message  2005  proposes 
regulation  on  unsolicited  commercial  electronic  message.  Non-commercial 
message,  such  as  the  communications  of  governments  and  citizens, 
contribution  appeal  of  the  charity  or  religious  organizations, 
communications  of  political  parties  are  not  limited.  The  provision  of  China 
Management  Measures  on  Internet  E-mail  Services  2005  is  wide  enough 
to  cover  all  kinds  of  e-mail  messages. 

In  the  aspect  of  the  forms  of  the  regulated  unsolicited  messages,  there 
are  also  different  legislations.  The  law  in  the  United  States  limits  the 
message  to  commercial  e-mail.  Similarly,  China  also  limits  the  form  of 
spam  to  e-mail.  The  mobile  message  is  excluded. 

Other  countries  adopted  broad  legislation  to  outlaw  more  kinds  of 
messages.  The  regulated  electronic  message  in  Australia  covers  e-mail, 
instant  message,  and  telephone.  The  scope  of  the  United  Kingdom  law 
covers  automatic  calling  system,  facsimile,  and  e-mail.  The  Section  5  of 
Australia  Spam  Act  2003  defines  the  purpose  of  the  Act  to  regulate 
commercial  electronic  message  including  e-mail,  instant  message, 
telephone,  and  similar  messages.  But  voice  calls  are  excluded:  If  a 
message  is  sent  by  way  of  a  voice  call  made  using  a  standard  telephone 
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service,  the  message  is  not  an  electronic  message.  Korea  outlaws 
unsolicited  e-mail,  telephone， facsimile,  or  other  media  prescribed  by  the 
Presidential  Decree.  The  term  "other  media”  is  obviously  used  to  cover 
short  message  service  (SMS)  and  other  electronic  communications 
services.  At  the  same  time， Korea  also  specifies  those  messages  sent  to 
recipients  in  violation  of  law  as  spam  (Personal  Data  Dispute  Mediation 
Committee,  Korea  Information  Security  Agency,  2003， p.  5-6).  The  Hong 
Kong  bill  covers  all  the  unsolicited  commercial  electronic  messages:  e-mail, 
facsimile,  instant  message,  and  multimedia  message,  messages  generated 
automatically  by  devices,  including  audio  or  video  messages  recorded 
beforehand  and  sent  through  the  Interactive  Voice  Response  System 
(IVRS)  (Xie， 2005). 


3.  Labeling  of  commercial  e-mail 


Labeling  consists  of  displaying  standard  identifying  labels  in  the  subject 
line  or  header.  Some  countries  require  senders  to  label  certain  kinds  of 
messages,  but  others  do  not  require  it  (Ahn,  2004).  In  order  to  make  it 
possible  for  the  e-mail  service  providers  and  the  recipients  to  distinguish 
and  filter  the  e-mails  before  open  them,  the  general  provision  requires  the 
sender  add  some  words  in  the  commercial  e-mails,  such  as 
"advertisement."  China  requires  labeling  of  ” Advertisement”  in  Chinese  or 
” AD”  in  English.  Taiwan  Draft  Regulations  on  Unsolicited  Commercial  E- 
mail  requires  labeling  of  "Commercial,"  ” Advertisement’’  in  Chinese  or 
” ADV’’  in  English.  The  bill  also  authorizes  the  agency  in  charge  of  the 
regulation  to  publish  other  labels  that  can  be  used  to  identify  the 
commercial  e-mail.  In  Korea,  Article  11  of  the  Ordinance  of  the  Ministry  of 
Information  and  Communication  of  the  Act  (Act  on  Promotion  of 
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Information  and  Communication  and  Communications  Network 
Utilization  and  Information  Protection  of  2001)  requires  an  "ADV"  label. 
But  in  order  to  prohibit  the  irregular  forms  of  labels  such  as  ” A*D*V”  and 
” A 〜 D 〜 V”， the  Ordinance  was  revised  in  2002  to  exclude  the  irregular 
forms.  The  revision  also  requires  an  ” ADLT’’  (adult)  label  if  the  e-mails  are 
for  adults.  In  June  2003,  the  Korea  law  further  requires  to  ’’include  the  ’@f 
(at)  symbol  in  the  title  portion  (right  side)  of  any  commercial  e-mail 
address， in  addition  to  the  words  ’Advertisement’  or  ’Adult  Advertisement’ 
as  applicable.”  (Korea  Information  Security  Agency,  2003). 

Many  states  in  the  United  States  require  a  label  in  the  subject  line  of 
an  e-mail  that  will  alert  recipients  that  the  message  is  an  advertisement. 
This  includes  two  modes:  unsolicited  sexually  explicit  messages  must 
contain  a  label  of  MADV:  ADULT”， ffADV:  ADLT’’， ”  ADULT 
ADVERTISEMENT，，，  ，，ADV:  ADULT  ADVERTISEMENT，，  at  the 
beginning  of  the  subject  line;  unsolicited  commercial  e-mail  messages 
must  contain  a  label  of  "ADV:"  or  "ADVERTISEMENT".  False,  deceptive, 
or  misleading  subject  lines  are  outlawed.  Table  3  shows  the  different 
legislation  modes  on  the  problem  of  labeling  in  the  United  States  (for  a 
complete  summary  of  the  U.S.  state  laws,  see  Sorkin,  2006). 


Table  5  Legislation  Modes  concerning  Labeling 


Legislation 

Modes 

Categories 

Label 

States 

Requirements 

of  Label 

Unsolicited 

sexually 

explicit 

messages 

"ADV:  ADULT",  "ADV: 

ADLT",  "ADULT 

ADVERTISEMENT", 

"ADV:  ADULT 

ADVERTISEMENT" 

Alaska,  Arkansas, 

Illinois,  Indiana, 

Kansas,  Louisiana, 

Maine,  Minnesota, 

Missouri,  New 

146 


Mexico, 

North 

Dakota,  Oklahoma, 

Pennsylvania, 

South 

Dakota, 

Tennessee, 

Texas, 

Utah, 

and 

Wisconsin 

Unsolicited 

commercial 

e-mail 

messages 

”ADV:’’  or 

，’ ADVERTISEMENT” 

Arizona,  Colorado, 

Michigan,  and 

Nevada 

Prohibition  of 
False, 

Deceptive,  or 
Misleading 
Subject  Lines 


Arizona,  Illinois, 
Indiana,  Kansas, 
Maryland, 
Minnesota, 
Missouri,  North 
Dakota,  Oklahoma, 
Pennsylvania, 

South  Dakota, 
Texas,  Washington, 
West  Virginia,  and 
Wyoming 


In  order  to  avoid  possible  disputes  and  damages  in  the  direct 
marketing  through  e-mail,  effective  tracing  of  senders  is  critical.  Laws 
require  the  sender  to  provide  correct  header  of  the  e-mail.  The  Section  5 
(a)  (1)  of  United  States  CAN- SPAM  Act,  Article  3  (3)  and  Article  5  of 
Japan  Specified  Commercial  Transactions  Law  for  Appropriate 
Transmission  of  Specified  E-mails  2002  all  provide  the  similar 
requirement.  The  sender's  identity  information  is  also  an  important 
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requirement  in  commercial  e-mails.  The  Section  5  (a)  (5)  of  the  US  Act， 
and  Article  3  (2)  of  the  Japan  Law  both  make  such  provisions. 


In  the  United  States,  states  have  taken  different  steps  to  criminalize 
the  act  of  sending  unsolicited  commercial  e-mail  containing  false,  falsified 
or  missing  routing  information,  or  misrepresent  or  obscure  the  point  of 
origin  or  routing  information;  the  sale,  distribution,  and  possession  with 
intent  to  sell  software  that  is  designed  to  falsify  routing  information;  and 
unsolicited  commercial  e-mail  using  a  third  party’s  Internet  address  or 
domain  name  without  permission.  Some  states  require  that  the  unsolicited 
commercial  e-mail  must  include  the  sender’s  name,  street  address,  and  e- 
mail  address,  along  with  opt-out  instructions  (Coalition  Against 
Unsolicited  Commercial  Email,  1999).  The  following  Table  4  compares  the 
differences  between  the  legislation  modes  of  the  U.  S.  states. 


Table  6  Legislation  Modes  concerning  Identity 


Criminalization  or  Requirements  States 


The  act  of  sending 
unsolicited  bulk  e-mail 
containing  false, 

falsified  or  missing 

Criminalization 

routing  information,  or 
misrepresent  or  obscure 
the  point  of  origin  or 
routing  information 


Arizona,  Arkansas,  Colorado, 
Connecticut,  Delaware,  Illinois, 
Indiana,  Iowa,  Kansas， 
Louisiana,  Maine,  Maryland, 
Michigan,  Minnesota,  Nevada, 
North  Carolina,  North  Dakota, 
Ohio,  Oklahoma,  Pennsylvania, 
Rhode  Island， South  Dakota， 
Tennessee,  Texas,  Utah, 
Virginia,  Washington,  West 
Virginia,  and  Wyoming 


The  sale,  distribution,  Arkansas,  Connecticut, 
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and  possession  with  Delaware,  Illinois,  Kansas, 

intent  to  sell  software  Louisiana,  Michigan,  Nevada, 

that  is  designed  to  Oklahoma,  Pennsylvania,  Rhode 

falsify  routing  Island,  Tennessee,  Virginia,  and 

information  West  Virginia 

Unsolicited  commercial 

e-mail  using  a  third 

party’s  Internet  address 

or  domain  name 

without  permission 

Arizona,  Arkansas,  Colorado, 

Idaho,  Illinois,  Indiana,  Iowa, 

Kansas,  Maine,  Maryland, 

Minnesota,  North  Dakota, 

Oklahoma,  Pennsylvania,  Rhode 

Island,  Texas,  Washington,  West 

Virginia,  and  Wyoming 

Requirements 

Require  that  the 

unsolicited  commercial 

e-mail  must  include  the 

sender’s  name,  street 

address,  and  e-mail 

address,  along  with  opt- 

out  instructions 

Arkansas,  Colorado,  Indiana, 

Iowa,  Kansas,  Maine, 

Minnesota,  Missouri,  Nevada, 

new  Mexico,  Ohio,  Oklahoma, 

Rhode  Island,  Tennessee,  and 

Utah 

These  different  provisions  within  one  nation  indicate  that  the  law 
enforcement  is  confronted  with  either  the  jurisdictional  gap  or  overlap, 
besides  possible  consistency  and  coordination. 


4.  Criminal  liability,  administrative  liability,  civil  liability,  and 
international  cooperation 
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The  prohibition  of  spam  is  ensured  by  liability  mechanisms.  The  liabilities 
for  spam  can  take  the  forms  of  criminal,  administrative  and  civil 
liabilities.  In  nature,  the  criminal  liability  is  the  most  severe  and 
deterrent  one.  The  administrative  and  civil  liabilities  are  less  deterrent. 
But  deterrence  is  not  the  only  factor  in  determining  the  adoption  of 
liabilities.  The  most  deterrent  liability  might  also  be  the  most  costly  and 
thus  less  efficient  in  economic  sense.  Therefore,  other  liabilities  can  have 
comparative  advantages.  In  either  case,  the  international  coordination  and 
cooperation  are  necessary. 

In  some  of  the  U.S.  states,  spam  has  been  criminalized  by  state  laws， 
such  as  Colorado,  Nevada,  Pennsylvania,  Connecticut，  Delaware, 
Louisiana,  North  Carolina,  and  Virginia.  In  some  other  jurisdictions 
without  statutes  regulating  commercial  spam,  unsolicited  e-mail  is  usually 
regulated  with  reference  to  harassment,  stalking,  and  sexually  explicit 
communication  to  minors,  such  as  in  Hawaii,  Wisconsin,  and  Maryland 
(Gilbert  &  Harrison-Watkins,  2001).  The  Section  4  of  2004  CAN- SPAM  Act 
prohibits  using  a  computer  without  authorization  to  send  commercial  e- 
mail;  falsifying  header  information  in  sending  commercial  e-mail;  and 
registering  e-mail  accounts  with  false  identifying  information,  and  using 
those  accounts  to  send  commercial  e-mail.  Under  the  Act， violations  of  the 
provisions  above  can  result  in  fines  and  imprisonment  of  between  one  and 
five  years  depending  on  the  seriousness  of  the  violation  and  other  factors. 

In  exploring  the  criminal  liability  for  spam,  there  are  some  issues 
deserving  reconsideration. 

Firstly,  although  the  overall  losses  caused  by  spam  are  huge,  the 
average  loss  of  a  single  user  by  a  single  message  might  be  very  tiny.  Every 
single  user  might  lack  the  incentive  to  report  and  provide  evidences  to  the 
law  enforcement.  If  they  do  so,  the  process  might  involve  more  expenses  of 
time， money,  and  energy  than  merely  being  spammed,  without  any 
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expected  reward.  A  simple  reaction  of  users  against  spam  might  be  to 
ignore  it,  until  they  have  more  sufficient  psychological  pulse  and  economic 
motive  to  report  it. 

Secondly,  the  cost  of  tracking  down  spammer  is  high  (Prince,  2004). 
Although  there  are  cases  of  harsh  criminal  sanctions， such  as  that  a 
Virginian  spammer  was  sentenced  to  nine  years  in  prison  for  sending  10 
million  e-mails  each  day  (Wakefield,  2005)， the  cases  of  large  damages, 
such  as  that  another  spammer  was  sued  by  AOL  for  7  million  dollars 
(Ibid),  and  that  a  Florida-based  spammer,  James  McCalla  was  imposed 
the  uncollectible  fine  of  11  billion  dollars  for  sending  over  280  million 
unsolicited  e-mail  messages,  and  an  enforceable  mechanism  of  banning 
him  to  use  the  Internet  for  three  years  (Arnfield， 2006).  Spamhaus 
estimated  that  spam  would  account  for  95  percent  of  all  e-mails  by  mid- 
2006  (Wakefield,  2004). 

Thirdly,  the  countries  adopted  different  legal  approaches,  such  as  opt- 
in， opt-out,  and  even  no  regulation  at  all.  Within  each  mode,  the  nature 
and  scope  of  the  regulated  messages  varies  from  one  country  to  another. 
The  countries  without  anti-spam  law  neither  protect  the  spammed  nor 
prevent  the  spammer.  The  users  become  the  potential  targets  of  the  spam， 
while  the  spammers  might  emerge  in  these  countries  or  move  to  these 
countries  to  spam.  Every  country  has  the  possibility  of  becoming  a  safe 
haven  for  spammers.  This  makes  it  less  effective  to  coordinate 
internationally. 

Fourthly,  in  addition  to  the  high  cost,  and  the  legal  and  jurisdictional 
differences,  the  uncontrollability  of  the  e-mail  communications,  and  the 
trans-territorial  or  trans-national  distribution  of  both  the  spammers  and 
the  spammed  determine  the  very  low  detection  and  conviction  probability. 
The  traditional  view  supposed  a  more  severe  penalty  as  a  more  suitable 
deterrence.  But  if  the  probability  is  near  zero,  even  the  highest 
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punishment  does  not  work.  All  these  factors  have  influence  on  the 
effectiveness  of  criminal  liability. 

In  China,  the  regulation  and  punishment  of  spam  are  realized 
through  administrative  liability.  The  Article  24  of  the  Law  provides  that 
sending  unsolicited  e-mail,  sending  e-mail  with  false  header  and  labeling, 
or  sending  e-mail  to  recipient  who  opt-in  previously  but  opt-out 
subsequently,  should  be  corrected  under  the  order  of  Ministry  of 
Information  Industry  or  Bureau  of  Communications  Management,  and 
imposed  a  fine  no  more  than  10,000  RBM  Yuan  (about  1,000  euros);  those 
who  obtained  illegal  income， should  be  imposed  a  fine  no  more  than  30,000 
RMB  Yuan  (about  3,000  euros). 

It  is  also  possible  to  take  civil  actions  against  spam  senders.  First  of 
all,  because  the  ISPs’  systems  are  repeatedly  burdened  by  huge  volume 
mailings,  they  can  incur  noteworthy  cost.  Thus,  they  have  the  choice  of 
seeking  financial  compensation  through  civil  action.  Generally,  civil  laws 
that  apply  to  damages  resulting  from  wrongful  actions  or  breaches  of 
contract  would  apply  to  conventional  and  online  activities  equally 
(Ferguson  &  Piragoff,  1997). 

Another  form  of  civil  action  can  also  protect  recipients  from 
spamming.  Damages  are  a  favorable  deterrent  against  spam.  Laws  in 
some  of  the  U.S.  states  provide  statutory  damages  to  individuals  and 
ESPs.  These  damages  vary  from  10  dollars  per  message  in  Colorado  and 
Iowa  to  500  dollars  in  Rhode  Island. 

Law  enforcement  needs  the  harmonized  international  actions.  There 
have  been  a  number  of  international  initiatives  to  deal  with  the  problem  of 
trans-border  scams.  The  Organization  for  Economic  Cooperation  and 
Development  adopted  new  guidelines  in  June  2003  to  promote 
international  cooperation  against  trans-border  fraud  and  deception. 
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Recent  trends  in  international  cooperation  have  been  between  industries, 
organizations  and  the  consumer  or  citizen,  and  between  industries  and 
government  (Ahn,  2004).  Important  multi-lateral  organizations  include 
the  Organization  for  Economic  Cooperation  and  Development, 
International  Telecommunication  Union  (ITU),  APEC,  Internet 
Corporation  for  Assigned  Names  and  Numbers  (ICANN)  and  International 
Consumer  Protection  and  Enforcement  Network  (ICPEN).  In  order  for  the 
international  cooperation  to  be  timely  and  effective,  it  should  include 
various  different  communities  (OECD,  2004).  In  dealing  with  the  problem 
of  spam,  the  new- styled  international  cooperation  is  an  urgent  call.  As  of 
2005， International  Council  on  Internet  Communications  was  formed  to 
coordinate  international  efforts  to  stop  spammers  (News  Target,  2005). 
Given  spam  is  still  in  its  rapid  developing  stage， we  cannot  expect  any  of 
such  institutions  are  able  to  solve  the  problem  in  a  predictable  period. 

International  action  might  meet  obstacles  impossible  to  overcome. 
The  senders  and  recipients  in  opt-in  countries  and  the  opt-out  countries 
might  first  meet  with  unsolvable  vicious  cycle.  The  users  of  opt-in 
countries  might  always  feel  that  they  are  annoyed  by  the  senders  of  the 
opt-out  countries.  The  users  of  the  opt-out  countries  might  feel  that  they 
are  less  informed  by  the  businesses  of  the  opt-in  countries.  The  businesses 
of  the  opt-out  countries  might  also  feel  that  they  are  guilty  of  spamming 
users  of  opt-in  countries.  The  senders  of  the  opt-in  countries  might  feel 
that  they  are  less  competitive  in  the  e-marketing  in  the  global  market,  and 
so  forth. 

Furthermore,  we  mentioned  the  different  provisions  of  the  subject 
line.  The  English-speaking  countries  will  surely  require  a  label  in  English, 
such  as  ” ADV”， and  so  forth.  Other  countries  require  a  label  either  in  their 
native  languages  or  in  English.  This  brings  about  little  problem  within  one 
jurisdiction.  The  problem  is  that  e-mail  advertisements  are  neither 
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language  dependent  nor  jurisdiction  dependent;  laws  of  most  countries 
are,  nevertheless,  jurisdiction  dependent,  protecting  recipients  and 
preventing  senders  in  one  jurisdiction.  Neither  are  the  spammers  from 
abroad  are  well  punished,  nor  are  the  spammed  from  abroad  well 
protected.  Trans-national  spamming  is  a  problem  that  domestic  laws  are 
reluctant  to  deal  with. 

Finally,  it  is  less  possible  to  determine  whether  a  message  with  a 
specific  label  is  spam  according  to  the  domestic  laws.  If  a  Chinese  sender, 
fully  coincident  with  Chinese  law,  sends  a  message  with  a  label  in  Chinese 
character  to  a  user  in  Japan,  who  is  also  a  Chinese  citizen,  he/she  might 
identify  this  Chinese  message  as  spam  according  to  Japanese  law, 
whether  he/she  consent  to  receive  such  a  message  or  not.  Because  he/she 
receives  the  message  in  Japan,  where  only  Japanese  law  applies,  he/she 
can  take  an  action  against  this  Chinese  sender  on  the  basis  that  this 
message  provided  the  irregular  label. 

From  the  above  analysis,  international  cooperation  should  not  only 
propel  unified  rules,  but  also  hold  spammers  liable  for  trans-border 
spamming.  More  than  ever,  an  international  anti -spam  agreement  is 
necessary. 


Conclusion 


Spammers  are  motivated  by  greater  benefits  from  spamming  than  other 
kind  of  direct  mailing.  The  growth  of  spam  despite  the  increase  of  efforts 
suggests  that  any  previous  solution  cannot  work  alone.  Comprehensive 
mechanisms  must  be  established  to  protect  the  spammed  and  to 
discourage  the  spammer.  To  balance  the  liability  among  the  spammer,  the 
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spammed， and  the  intermediaries,  criminal  sanctions,  civil  remedies,  and 
international  harmonization  are  all  constituents  of  the  effective  legal 
framework. 
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CHAPTER  VII  UNSOLICITED  E-MAIL  WITH 
ATTACHMENTS 


Introduction 


The  Internet  was  an  outstanding  creation  of  human  beings  in  the  20th 
century,  with  its  power  extending  to  the  current  days.  More  than  683 
million  e-mail  users  hold  1.2  billion  accounts  (Radical  Group  2005)， and 
utilize  this  unprecedented  means  in  communications  and  marketing. 
Unsolicited  e-mail  messages  become  a  nuisance  that  every  user  meet  by 


chance.  The  recipients’  property  rights,  fair  trade,  public  morals, 
cybersecurity,  data  protection,  and  other  content-related  and  goods-related 
transgresses  and  offences  are  all  challenges  that  the  society  is  confronted 
with  (Li  2006). 

Many  researches  have  been  carried  out  to  analyse  the  phenomenology 
of  unsolicited  commercial  e-mail  (UCE,  or  unsolicited  business  e-mail, 
UBE， or  simply  spam).  Others  have  particularly  dealt  with  the  costs  and 


benefits  of  senders  and  recipients  derived  from  the  unsolicited  e-mail 


(Khong  2001， and  2004)， the  overall  impact  on  productivity  of  individual 
employee  and  enterprises  (Nucleus  2003， 2004)， the  scale  and  volume  of 
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unsolicited  e-mail  (Radical  Group  2005)， the  impact  on  consumers’ 
attitudes  and  confidence  towards  e-commerce  (TACD  2003;  Fallows  2003; 
Harris  Interactive  2003)， the  higher  possibility  of  receiving  unsolicited  e- 
mail  by  online-published  addresses  (Federal  Trade  Commission  2002b)， 
the  ignorance  of  removal  requests  by  senders  (Federal  Trade  Commission 
2002a)， and  the  technical  and  legal  solution  on  unsolicited  e-mail  (Sorkin 
2001). 

Few  studies  have  touched  with  unsolicited  e-mail  messages  with 
attachments,  particularly  with  how  many  risks  a  single  e-mail  user  might 
be  confronted  with.  In  this  study,  I  use  a  sample  of  501  unsolicited  e-mail 
messages  with  attachment,  presenting  the  first  analysis  of  the  types  and 
validity  of  sender  column,  types  and  validity  of  subject  column,  types  of 
offers  of  message  content,  and  types,  sizes  and  nature  of  attachments  of 
these  messages.  In  this  Chapter,  the  term  “spam’  is  deliberately  avoided 
on  the  side  of  the  author,  due  to  the  lack  of  a  universally-accepted  unified 
definition.  At  the  same  time,  the  author  prefers  the  phrase  of  “unsolicited 
e-mail”  without  the  modifier  “commercial”  or  “business”， in  order  to 
enlarge  the  coverage  of  messages  with  attachments  in  this  study  to  virus 
spreaders. 


Literature  review 

As  the  increase  of  capability  of  computers  and  networks  to  process 
information,  “a  wealth  of  information”  can  lead  to  a  “poverty  of  attention” 
(Simon  1982).  Unsolicited  business  e-mail  (UBE)  or  unsolicited 
commercial  e-mail  (UCE)  represents  an  example  that  e-mail  users  must 
deal  with  the  superfluous  information  they  do  not  expect  to  consume. 
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Unsolicited  e-mail  brings  about  the  negative  image  of  e-marketing, 
frightening  e-mail  users  from  trusting  the  e-mail  communications. 

Unsolicited  e-mail  sent  out  to  multiple  recipients  has  broad  negative 
effects  on  e-mail  marketing.  Karnell  (2002)  found  that  an  increasing 
numbers  of  e-mails  have  never  been  read  by  the  recipients,  and  the  users 
prefer  limiting  or  disrupting  the  business  contacts.  The  prevalence  of 
unsolicited  messages  demonstrates  a  growing  threat  to  the  information 
society  (World  Summit  on  the  Information  Society  2003,  paragraph  37). 


Spammer-X  (2004)  told  his/her  story  about  the  reasons  and  methods 
of  spamming,  revealing  the  wisdom  of  defeating  anti- spam  techniques, 
avoiding  being  identified,  and  escaping  the  law.  McWilliams  (2005) 
described  the  world  of  the  spammers  and  spam-fighters,  giving 
information  on  the  mechanisms  of  spamming  and  spam  fighting. 
Goodman  (2004)  presented  the  most  usual  spam  traps  and  explained  why 
the  current  solutions  are  ineffective.  Lambert  (2003)  analysed  a  wide 
variety  of  e-mail  in  order  to  produce  a  profile  of  spam  and  develop  a 
profile  of  spammer. 

The  United  States  Federal  Trade  Commission  (1998)  identified  a 
dozen  of  most  likely  spam  scams,  covering  spam  and  scams  from  business 
opportunities,  quick  money,  working  at  home,  to  guaranteed  loans,  and  so 
on. 

Li  (2006)  summarized  six  challenges  that  the  spam  brings  to  the 
society:  the  recipients’  property  rights,  fair  trade,  public  morals, 
cybersecurity,  data  protection,  and  other  content-related  and  goods- 
related  transgresses  and  offences.  From  the  standpoint  of  the  senders,  all 
these  challenges  could  be  classified  into  two  bigger  categories:  victim 
seeking  and  conspirator  seeking.  From  the  standpoint  of  the  recipient， 
they  are  confronted  with  initial  victimization  (being  spammed),  further 
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victimization  (being  defrauded,  or  attacked  by  viruses),  or  committing 
offences  (tax  evasion,  or  use  of  falsified  documents). 

Nucleus  (2003)  reported  the  in-depth  interviews  with  117  employees 
and  extensive  interviews  with  28  IT  administrators.  They  found  that  an 
average  of  13.3  unsolicited  messages  reached  the  employee  per  day;  each 
employee  has  to  spend  an  average  of  6.5  minutes  per  day  dealing  with 
unsolicited  messages.  The  calculated  that  unsolicited  messages  caused  an 
average  1.4  percent  of  productivity  loss  per  employee  per  year,  equal  to  an 
average  cost  of  874  dollars  per  employee  per  year. 

Nucleus  (2004)  reported  further  interviews  with  employees  at  82 
Fortune  500  companies.  They  found  that  users  received  an  average  of 
twice  the  number  of  previous  year’s  unsolicited  messages,  with  an  average 
3.1  percent  of  productivity  loss  in  2004.  They  also  found  that  the  role  of 
technical  solution  to  unsolicited  messages  became  less  effective. 

Fallows  (2003)  reported  the  Pew  Internet  &  American  Life  Project, 
which  collected  data  from  a  national  telephone  survey  of  2,200  adults  and 
a  compilation  of  more  than  4,000  first-person  narratives  about  unsolicited 
messages.  The  findings  showed  unsolicited  messages  caused  some  e-mail 
users  to  use  e-mail  less,  and  trust  the  online  environment  less.  Fear  of 
unsolicited  messages  increased. 

Federal  Trade  Commission  (2002a)  tested  215  addresses  from  spam 
with  “remove  me”  claims,  and  found  that  135  removal  links  or  addresses 
were  dead  or  did  not  function,  attempts  to  send  reply  e-mail  messages 
were  in  the  same  way  unsuccessful. 

Federal  Trade  Commission  (2002b)  put  250  new,  undercovered  e-mail 
addresses  in  175  different  locations  on  the  Internet,  including  web  pages, 
newsgroups,  chat  rooms,  message  boards,  and  online  directions  for  web 
pages,  instant  message  users,  domain  names,  resumes,  and  dating 
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services.  They  found  that  web  pages,  newsgroups,  and  chat  room  are  all 
attractive  to  unsolicited  message  senders. 

Federal  Trade  Commission  (2003a)  reported  that  66  percent  of  spam 
messages  are  fraudulent  in  the  “from”  or  subject  columns,  or  in  the 
message  itself.  The  false  advertisements  might  distort  the  normal  market 
of  goods  and  services,  harm  the  normal  trade  order,  and  reduce  the 
consumers’  confidence  (The  Directorate  General  of  Telecommunications 
Ministry  of  Transportation  and  Communications  2005,  pp.  6-7).  The  large 
volume  of  spam,  the  malicious  programs  and  malicious  linkages  contained 
in  the  messages  are  the  main  threats  (PC  World  2003). 

Federal  Trade  Commission  (2005)  found  that  spammers  continue  to 
harvest  email  address  posted  on  web  sites,  and  to  a  much  lesser  extent, 
those  posted  on  blogs  and  USENET  groups.  Masking  email  addresses 
when  posting  on  web  sites  can  substantially  reduce  the  risk  of  harvesting. 

Harris  Interactive  surveyed  2,376  adults  online  in  2003， and  found 
that  most  online  adults  reported  that  they  received  more  spam  than  six 
months  earlier.  Only  14  percent  have  seen  a  decline  in  the  volume  of  spam. 
A  majority  of  respondents  reported  unsolicited  messages  annoying  or  very 
annoying  (Taylor  2003). 

Many  spammers  send  their  messages  by  unauthorized  use  of  other 
individuals  or  organizations’  accounts  (Organization  of  Economic 
Cooperation  and  Development  2004).  The  e-mail  addresses  harvesting 
software  can  collect  this  information  automatically  from  the  web  pages 
(Boldt， Carlsson  and  Jacobsson  2004,  p.  8).  Based  on  the  discussions  of 
spyware  and  on  the  findings  from  the  two  experiments,  Boldt， Carlsson 
and  Jacobsson  (2004,  p.  4)  concluded  that  spyware  has  a  negative  effect  on 
computer  security  and  user  privacy.  Spyware  enables  for  the  spreading  of 
e-mail  addresses  that  may  result  in  the  receiving  of  unsolicited  e-mail. 
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Khong  (2004)  stated  that  although  it  is  difficult  to  measure  the  costs 
and  benefits  of  the  spammer,  if  the  benefit  obtained  from  the  activity 
outweighs  the  cost,  then  the  spammer  would  undertake  the  spamming 
activity.  It  follows  that  if  there  is  one  successful  commercial  transaction, 
the  spammer  can  realize  his  or  her  benefit.  The  costs  that  are  involved  in 
the  spamming  can  be  roughly  estimated  according  to  the  costs  of 
bandwidth,  message  sending,  and  obtaining  of  the  users’  address.  The 
costs  of  bandwidth  and  message  sending  are  ignorable.  According  to 
Sadowsky  (2003， p.  55)， the  spammer  can  obtain  users’  e-mail  address  in 
the  13  situations.  Obviously,  the  most  convenient  and  least  expensive  way 
is  to  harvest  e-mail  addresses  automatically  with  specific  software.  The 
software  is  also  available  from  Internet,  either  being  free  of  charge  or  with 
an  inexpensive  price. 

The  revenue  of  spammer  from  sending  message  has  been  found  high 
in  a  few  studies  Goodman  and  Routhwaite  (2004).  Cobb  (2003， p.  2) 
suggested  the  concept  of  “the  parasitic  economics  of  spam，’’  meaning  that 
the  act  of  sending  a  message  costs  the  sender  less  than  it  costs  all  other 
parties  impacted  by  the  sending  of  the  message. 

The  costs  and  benefits  of  the  spammed  can  also  be  estimated.  The 
costs  induced  by  the  spam  to  the  spammed  have  a  wide  coverage.  They 
include  the  waste  of  the  users’  time,  bandwidth  and  storage,  cost  of  anti¬ 
spam  solution,  and  cost  of  overloading  at  the  mailbox  (Gauthronet  and 
Drouard  2001).  The  average  time  and  money  lost  in  processing  a  single 
message  might  not  be  so  significant.  However,  theoretically,  the  aggregate 
loss  of  time  and  money  in  aggregate  taken  in  dealing  with  these  messages 
might  be  huge  (Li  2006).  Spam  also  induces  costs  of  the  bandwidth  and 
storage,  losses  in  interruption  of  services,  and  anti-spam  solutions 
(Gauthronet  and  Drouard  2001).  The  interruption  of  services  is 
unfortunate  for  both  the  providers  and  users  in  causing  business, 
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confidence,  and  other  losses.  Worldwide  revenue  for  anti- spam  solutions 
will  exceed  1.7  billion  dollars  in  2008  (IDC  2005).  If  the  e-mail  address 
has  ever  been  put  on  the  institution’s  Web  site,  or  personal  homepage,  it 
is  highly  possibly  that  the  address  will  be  harvested,  sold,  and  abused  by 
senders  (Federal  Trade  Commission  2003b). 

Finally,  unsolicited  e-mail  is  nothing  useful  and  beneficial  to  the 
recipients.  From  all  of  the  previous  studies,  it  is  reasonable  to  conclude 
that  the  recipients  undertake  pure  losses,  not  only  the  monetary,  but  also 
the  psychological  (Li  2006). 


Methodology 


The  Chapter  presents  a  case  study  on  unsolicited  e-mail  messages  with 
attachments,  analysing  the  sender  column,  subject  column,  content  and 
attachments  of  these  message.  The  sample  was  composed  of  all  the  501 
messages  with  attachments  out  of  a  total  of  about  26,000  unsolicited  e- 
mail  messages  collected  in  one  e-mail  account  through  honeypot  technique 
during  June  2005  to  May  2006. 

The  account  has  received  26, 160  messages  in  total,  with  normal 
messages  accounting  for  200  in  “inbox”  and  “backup”  folders,  and  25,960 
unsolicited  messages  in  “5000”， “attach”  and  “spam”  folders.  The  501 
unsolicited  messages  with  attachments  have  been  collected  in  “attach” 
folder. 

In  analysing  each  message,  it  is  necessary  to  establish  a  standard  to 
categorise  the  messages  into  different  types  according  to  their  sender 
column,  subject  column,  content  and  attachments.  The  standard  to  decide 
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if  the  sender  column  is  falsified  is  the  name  format.  The  personal  name  in 
Chinese  is  constituted  by  “family  name  plus  personal  name，’’  while  in 
English  it  is  “first  name  plus  surname.”  The  name  for  an  organization  is 
also  easy  to  judge  by  comparing  the  name  in  the  sender  column  with  that 
in  the  content. 

The  standard  to  decide  whether  a  subject  column  is  falsified  is 
relatively  relaxed.  Because  there  is  only  one  message  labelled  with  an 
“AD:”  sign,  in  strict  sense  all  the  subject  columns  of  other  messages  are 
illegal.  However,  the  emphasis  of  this  Chapter  is  not  to  coincide  with  the 
legal  standard.  Rather,  it  is  focused  on  the  analysis  of  the  phenomenon  of 
unsolicited  e-mail  messages  with  attachments.  The  message  with  “AD:” 
label,  and  messages  with  words  explaining  the  content  or  having  apparent 
connection  with  the  content  are  regarded  as  not  falsified.  The  other 
messages  with  the  subject  column  irrelevant  with  the  content， inducing 
recipient  to  open  the  messages,  is  considered  falsified. 

The  content  is  categorised  according  to  the  offers  provided， and  the 
nature  of  the  attachments. 


Findings 


Types  of  File  Formats  of  Attachments 


In  total  501  messages  with  attachments,  three  attachments  were  missing. 
Other  attachments  are  comprised  of  14  kinds  of  document  formats.  More 
than  one  third  of  the  attachments  are  “zip”  format  compressed  files, 
mostly  viruses,  which  represent  the  most  severe  threats  to  the  e-mail 
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users’  computer  security.  Another  one  third  of  all  attachments  are 
comprised  of  two  categories:  approximately  one  fifth  of  the  total 
attachments  being  “gif’  format  image  files， and  approximately  one  sixth 
being  “htm”  format  documents.  This  one  third  is  relatively  virus  free,  but 
includes  annoying  contents  and  hyper  links.  These  three  kinds  of  files 
constitute  more  than  70  percent  of  all  attachments.  Another  frequent 
attachment  format  is  Microsoft  Word  “doc”， which  accounts  for  8.4  percent 
of  all  attachments.  Other  10  kinds  of  document  formats  are  only 
responsible  for  approximately  20  percent  of  attachments,  including  both 
viruses  and  virus  free  files. 


Table  7  Types  of  File  Formats  of  Attachments 


Types  of  File 

Formats 

Number 

Percentage 

*.chm 

ii 

2.2 

*.com 

9 

1.8 

*.doc 

42 

8.4 

*.exe 

13 

2.6 

*.gif 

92 

18.4 

*.htm 

78 

15.6 

*.jpg 

13 

2.6 

*.mid 

3 

0.6 

*.pif 

19 

3.8 

*.rar 

11 

2.2 

*.scr 

12 

2.4 

*.txt 

8 

1.6 

169 


'scr 

2,4%" 


*.xls 

3 

0.6 

*.zip 

184 

36.7 

Attachment 

missing 

3 

0.6 

Total 

501 

100 

*.chm 
*.rar  2,2% 

1  i 

*.com  *加  *'mid 

r  1,8%  °'6/o 

/  / ^^_MiSSing  ^ 

。:6% 

*  doc 
8,4%" 


□  *.zip 

■  *.gif 

□  *.htm 

□  *.doc 
■气 pif 
口  *.jpg 
画  *.exe 

□  *.scr 

■  *.rar 

■  *.chm 

□  *.com 

□  *.txt 

■  *.mid 

■  *.xls 

■  Missing 


Figure  1  Types  of  File  Formats  of  Attachments 


Sizes  of  Messages  with  Attachments 


The  average  size  of  501  messages  with  attachments  is  47.44k.  The  sizes  of 
approximately  90  percent  of  messages  with  attachments  are  smaller  than 
100k.  The  sizes  of  only  2  percent  of  these  messages  are  between  100-200k. 
Sizes  of  nearly  9  percent  of  messages  are  bigger  than  200k.  In  fact,  about 
285  pieces  of  messages,  which  constitute  more  than  half  of  the  messages 
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with  attachments,  are  smaller  than  30k.  The  messages  with  the  sizes  of  lk 
and  2k  alone， account  for  more  than  28  percent  of  the  sample.  They  are 
mostly  empty  “zip”  files,  with  the  possibility  of  being  messages  with 
attachments  of  viruses  but  disinfected  by  the  e-mail  service  provider.  The 
messages  with  attachments  spreading  W 32 .netsky . C@mm  (35k)  and 
W32.Sober.X@mm  (75)  viruses  account  for  16  percent  and  7  percent  of  all 
of  the  messages  respectively. 


Table  8  Sizes  of  Messages  with  Attachments 


Size 

Numbers 

Percentage 

-lOOkb 

446 

89.0 

100-200kb 

11 

2.2 

200kb- 

44 

8.8 

23,765kb 

501 

100 

Among  which 

-30kb 

285 

56.7 

lkb 

13 

2.6 

2kb 

108 

21.6 

35kb 

80 

W32.N  etsky.  C@mm 

16 

75kb 

35 

W32.Sober.X@mm 

7 
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100-200k 


89.0% 

Figure  2  Sizes  of  Messages  with  Attachments 


Some  special  sizes  of  attachments 


Figure  3  Percentile  of  Some  Special  Sizes  of  Messages  with 

Attachments 


The  unsolicited  messages  with  attachments  account  for  less  than  2 
percent  of  all  unsolicited  messages.  The  average  size  of  unsolicited  e-mails 
with  attachments  is  47.44k， compared  with  the  average  size  of  7.32k  of 
other  unsolicited  e-mails,  a  6.5  fold  bigger.  In  fact,  unsolicited  messages 
with  attachments  contribute  to  more  than  10  percent  of  the  average 
message  size  of  all  unsolicited  messages,  enlarging  the  average  size  from 
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7.32k  of  unsolicited  messages  without  attachments  to  8.09k  of  all  of  the 
unsolicited  messages. 


Table  9  Compare  of  Average  Sizes  of  Messages 


Total  size 

Numbers 

Average 

size 

Average  size  of 

unsolicited  e-mails 

with  attachments 

23,765k 

501 

47.44k 

Average  size  of  other 

unsolicited  e-mails 

186,254k 

25,459 

7.32k 

Average  size  of  all 

unsolicited  e-mails 

210,019k 

25,960 

8.09k 

Average  size  of  non¬ 
spam  e-mails,  both 

with  and  without 

attachments 

14,892k 

200 

74.46k 

Average  size  of  all  e- 

mails 

217,700k 

26160 

8.32k 

Comparatively,  the  average  size  of  200  pieces  of  non-spam  messages  is 
74.46k， even  bigger  than  average  size  of  the  unsolicited  messages  with 


attachments.  The  big  average  size  of  non-spam  messages  does  not  imply 


that  these  messages  are  always  bigger  than  spam  messages.  It  must  be 
pointed  out  that  the  fact  behind  this  figure  is  that  the  large  free  space  of 
the  e-mail  service  is  used  to  deposit  the  users’  own  backup  files， as 
attachments  of  self- sending  self-receiving  messages.  A  single  attachment 
can  be  as  big  as  10Mb  with  this  e-mail  account. 
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Types  of  Sender  Column  in  Unsolicited  Messages  with  Attachments 


Among  the  501  pieces  of  messages  with  attachments， one  is  with  a  blank 
sender  column.  Senders  of  unsolicited  messages  with  attachments  tend  to 
hide  their  names  but  show  e-mail  addresses,  valid  or  false.  Approximately 
60  percent  of  all  messages  show  e-mail  addresses  instead  of  senders’  name, 
which  should  be  considered  substandard.  Others  conceal  their  names  with 
their  surnames  and  titles,  meaningless  letters  and  numbers,  describing 
their  offers  (products,  services  and  activities),  filled  with  words  inducing 
users  to  open  the  messages,  or  simply  exploiting  recipients’  names  and  e- 
mail  address.  In  total,  approximately  83  percent  of  messages  bear 
substandard  sender  columns.  Only  around  one  sixth  of  messages  bear 
standard  personal  names  or  company  names. 


Table  10  Types  of  Sender  Column  in  Unsolicited  Messages  with 

Attachments 


Type 

Number 

Percentage 

(/501) 

Blank 

i 

0.2 

Company  name 

45 

0.9 

Describing  products, 

services  and  activities 

16 

3 

Inducing  users  to 

open  the  messages 

7 

1.4 

Meaningless  letters 

and  numbers 

23 

4.6 
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Recipients’  name  and 

address 

4 

0.8 

Showing  e-mail 

address 

297 

59.3 

Standard  personal 

name 

79 

15.8 

Surname  plus  title 

29 

5.8 

Total 

501 

100 

Valid  Sender  Column  in  Unsolicited  Messages  with  Attachments 


Senders  of  unsolicited  messages  with  attachments  that  are  currently 
empty,  or  with  the  content  of  offering  banking  or  financial  services,  sales 
of  falsified  certificate,  human  resources  recruitment,  publishing  and 
printing,  sales  of  health  products  and  clothes,  soliciting  friends,  and  with 
the  purpose  of  merely  spreading  computer  viruses  are  reluctant  to  provide 
sender  names  in  standard  formats.  Senders  of  unsolicited  messages  with 
attachments  who  offer  telecommunications  services  are  also  quite 
reluctant  to  do  so.  Approximately  one  in  every  three  senders  of  messages 
with  attachments  offering  information  on  companies  and  websites,  sales  of 
books,  VCD  and  DVD  provide  valid  name  format  in  sender  column.  Half  of 
quick  money  opportunities  providers  type  right  names  in  their  messages’ 
sender  column.  Senders  of  messages  with  attachments  that  offer  tax 
evasion  assistance  seem  more  active  in  provide  standard  format  of  names 
in  the  sender  column.  More  than  half  of  them  did  so.  Sixty  percent  of 
senders  who  offer  information  on  training  and  education  opportunities 
type  names  in  standard  format  in  the  sender  column.  The  providers  of 
computer  hardware  and  software  appear  the  most  reliable  senders  of 
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unsolicited  messages  with  attachments,  of  whom  more  than  70  percent 
furnished  standard  sender  column.  One  quarter  out  of  the  senders  who 
offer  other  services  gave  valid  form  of  names. 


Table  11  Valid  Sender  column  in  Unsolicited  Message  with 

Attachments 


Type 

Number  of 

validity  in 

sender  column 

Percentage 

Banking， financial 

0 

0 

Empty  attachments 

0 

0 

Falsified  certificate 

0 

0 

Human  resources 

recruitment 

0 

0 

Introduction  of 

company,  website 

6 

33.3 

Political  propaganda 

14 

56 

Publishing,  printing, 

card  manufacture,  etc. 

0 

0 

Quick  money 

1 

50 

Sales  of  books， VCD, 

DVD 

4 

36.4 

Sales  of  health  products, 

clothes 

0 

0 

Software,  computer 

products 

33 

70.2 

Soliciting  friends 

0 

0 
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Tax  evasion 

37 

53.6 

Telecommunications 

services 

1 

3.4 

Training  and  education 

6 

60 

Virus 

0 

0 

Other  services 

1 

25 

Types  of  Sender  Line  in  Unsolicited  Messages  with  Attachments 


□  E-mail 

□  Name 

□  Company 

□  Title 

■  Letters 

□  Description 

□  Inducing 

□  Recipient 

■  Blank 


Figure  4  Types  of  Sender  Column  in  Unsolicited  Messages  with 

Attachments 


Types  of  Subject  Column  in  Unsolicited  Messages  with  Attachments 


To  label  the  subject  column  with  “AD:”， “ADV:”， or  any  other  kinds  of 
regulatory  means,  is  an  invention  that  has  never  been  respected  by 
senders  of  unsolicited  messages.  Only  less  than  two  in  one  thousand 
messages  have  this  kind  of  label  been  stuck.  Two  in  one  hundred  of  the 
messages  with  attachments  left  the  subject  column  blank.  Approximately 
15  percent  of  messages  used  ambiguous  languages  to  confuse  the 
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recipients.  All  others  attempted  to  draw  recipients’  attention  and  attract 
them  to  open  the  messages,  furnished  the  subject  column  with  languages 
describing  the  content,  giving  greetings,  appearing  related  to  users’  e-mail 
service,  bearing  “Re:”  and  “Fw:”  labels,  or  pretending  users’  friends  and 
contacts,  etc. 


Table  12  Types  of  Subject  Column  in  Unsolicited  Messages  with 

Attachments 


Type 

Number 

Percentage 

“AD:，， label 

i 

0.2 

Ambiguous  language 

74 

14.8 

Blank 

10 

2 

Describing  message 

content 

117 

23.4 

Greetings 

58 

11.6 

“Re:，， and  “Fw:”  label 

21 

4.2 

Related  to  users  e-mail 

service 

84 

16.8 

Special  language  to 

draw  attention 

13 

2.6 

Users9  friends  and 

contacts 

123 

24.6 

Total 

501 

100 
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Description 


Contacts 

24.6% 


23.4% 


Figure  5  Types  of  Subject  Column  in  Unsolicited  Messages  with 

Attachments 

Valid  Subject  Column  in  Unsolicited  Messages  with  Attachments 

Almost  all  of  the  senders  of  messages  with  attachments  offering 
information  on  human  resources  recruitment,  companies  or  websites, 
publishing,  printing,  card  manufacture,  etc.， sales  of  health  products, 
clothes,  and  tax  evasion  ensured  the  valid  subject  column.  A  high 
percentage  of  providers  of  telecommunications  services,  sellers  of  books, 
VCDs,  and  DVDs,  training  information  providers,  quick  money 
information  providers,  and  providers  of  other  services  provided  valid 
subject  columns  in  their  messages.  All  the  senders  of  other  messages  were 
reluctant  in  typing  useful  subjects  for  their  potential  recipients. 

Table  13  Valid  Subject  Column  in  Unsolicited  Messages  with 

Attachments 
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Type 

Number  of 

validity  in 

sender 

column 

Percentage 

Bank,  financial 

0 

0 

Empty  attachments 

11 

10.7 

Falsified  certificate 

0 

0 

Human  resources 

recruitment 

2 

100 

Introduction  of  company, 

website 

18 

100 

Political 

1 

4 

Publishing,  printing,  card 

manufacture,  etc. 

19 

100 

Quick  money 

1 

50 

Sales  of  books,  VCD,  DVD 

8 

72.7 

Sales  of  health  products, 

clothes 

4 

100 

Software,  computer 

products 

1 

2 

Soliciting  friends 

0 

0 

Tax  evasion 

66 

95.6 

Telecommunications 

services 

24 

82.8 

Training 

7 

70 

Virus 

0 

0 
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Other  services  3  75 


Types  of  Content  of  Messages  with  Attachments 


More  than  28  percent  of  messages  are  designed  to  spread  viruses.  More 
than  one  in  five  messages  attached  empty  attachments.  Messages  offering 
both  tax  evasion  services  and  software  and  computer  products  constitute 
around  10  percent  of  all  messages.  Any  of  contents  of  other  messages 
constitute  a  percentage  far  below  10  percent,  with  messages  offering 
telecommunications  services  and  political  propaganda  constitute  around  5 
percent  separately.  Interestingly,  there  is  rarely  any  message  with 
attachment  involving  adult  contents,  investment  chances,  sales  of  pirated 
software,  and  some  other  common  offers  in  messages  without  attachments 
found  in  the  same  e-mail  account. 


Table  14  Types  of  Content  of  Messages  with  Attachments 


Type 

Number 

Percentage 

Bank,  financial 

3 

0.6 

Empty  attachments 

103 

20.6 

Falsified  certificate 

10 

2 

Human  resources 

recruitment 

2 

0.4 

Introduction  of 

company,  website 

18 

3.6 

Political 

25 

5 

Publishing,  printing, 

19 

3.8 
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card  manufacture,  etc. 

Quick  money 

2 

0.4 

Sales  of  books,  VCD, 

DVD 

11 

2 

Sales  of  health 

products,  clothes 

4 

0.8 

Software,  computer 

products 

47 

9.4 

Soliciting  friends 

4 

0.8 

Tax  evasion 

69 

13.8 

Telecommunications 

services 

29 

5.8 

Training 

10 

2 

Virus 

141 

28.1 

Other  services 

4 

0.8 
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□  Virus 

□  Empty 

□  Tax 

□  Software 

■  Tele 

□  Political 

□  Publishing 

□  Websites 

■  Books 

□  Certificate 

□  Friends 

□  Goods 

■  Other 

■  Bank 

□  Money 

□  Recruitment 


Figure  6  Types  of  Content  of  Messages  with  Attachments 


Valid  Content  in  Unsolicited  Messages  with  Attachments 


Interestingly,  most  messages  have  high  percentage  of  valid  contents,  with 
the  exceptions  of  messages  with  empty  attachments  and  messages  with 
attachments  that  spread  viruses. 


Table  15  Valid  Content  in  Unsolicited  Messages  with  Attachments 


Type 

Number  of 

validity  in 

content 

Percentage 

Bank,  financial 

0 

0 

Empty  attachments 

0 

0 

Falsified  certificate 

9 

90 
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Human  resources 

recruitment 

2 

100 

Promotion  of  company, 

website 

13 

72 

Political 

25 

100 

Publishing,  printing, 

card  manufacture,  etc. 

19 

100 

Quick  money 

1 

50 

Sales  of  books,  VCD, 

DVD 

11 

100 

Sales  of  health  products, 

clothes 

4 

100 

Soliciting  friends 

4 

100 

Software,  computer 

products 

47 

100 

Telecommunications 

services 

24 

82.8 

Training 

8 

80 

Virus 

0 

0 

Other  services 

1 

25 

Types  of  Contact  Method  Provided  in  Unsolicited  Messages  with 
Attachments 


Because  many  unsolicited  messages  with  attachments  are  spreading 
viruses,  they  generally  provided  no  contact  information,  with  a  few 
exceptions.  Other  messages  included  one  or  more  kinds  of  contact  methods 


184 


in  the  message  texts.  Of  total  501  messages,  more  than  one-third  of  the 
messages  provided  hyperlinks  directed  to  websites,  while  less  than  one- 
third  provided  fixed  telephone  numbers.  Both  e-mail  addresses  and  mobile 
phone  numbers  are  preferred  by  more  than  22  percent  of  senders.  Fax 
numbers  and  physical  addresses  are  included  in  about  16  and  10  percent 
of  messages  separately.  QQ  (a  chat  system  mainly  used  by  Chinese 
Internet  users)  are  provided  in  8  percent  of  messages.  MSN  is  the  least 
used  contact  method  in  the  501  messages. 

Unsubscribe  is  nothing  more  than  a  decoration  in  unsolicited 
messages  with  attachments.  Unsubscribe  method  is  only  provided  in  2.2 
percent  of  messages. 


Table  16  Types  of  Contact  Method  Provided  in  Unsolicited 


Messages  with  Attachments 


Contact  Methods 

Number 

Percentage 

(/501) 

Address 

50 

10 

E-mail 

113 

22.6 

Fax 

79 

15.8 

MSN 

12 

2.4 

Mobile  phone 

112 

22.4 

QQ 

40 

8 

Telephone 

145 

28.9 

Unsubscribe 

method 

11 

2.2 

Website 

182 

36.3 
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Figure  7  Types  of  Contact  Method  Provided  in  Unsolicited 
Messages  with  Attachments 


Falsity  of  Sender， Subject  and  Content 


Only  one  in  five  of  the  unsolicited  messages  with  attachments  used  valid 
format  in  sender  column,  one  in  three  used  valid  subject  column,  and  more 
than  half  provided  valid  content.  However,  only  58  messages  had  both 
valid  format  of  sender  and  subject  column,  and  293  messages  with  both 
false  format  of  sender  and  subject  column.  Other  42  messages  have  valid 
format  of  sender  column  but  false  format  of  subject  column,  while  108 
messages  have  false  format  of  sender  column  but  valid  format  of  subject 
column.  The  overall  falsity  of  subject  or  sender  column  constitutes  88.4 
percent. 


Table  17  Validity  and  Falsity  of  Sender  and  Subject  Columns  and 

Content  Separately 


Number 

Percentage 
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Sender 

Valid 

100 

20 

False 

401 

80 

Subject 

Valid 

166 

33.1 

False 

335 

66.9 

Content 

Valid 

260 

51.9 

False 

241 

48.1 

The  validity  and  falsity  of  content  take  almost  50  percent  separately. 


Table  18  Validity  and  Falsity  of  Either  Subject  or  Sender  Column 


Sender 

Valid 

False 

Total 

numbers 

Percentage 

Subject 

Valid 

58 

108 

166 

33.1 

False 

42 

293 

335 

66.9 

Total 

numbers 

100 

401 

501 

100 

Percentage 

20 

80 

100 

Percentage 

of  validity 

of  both 

columns 

11.6 

Discussion 
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Senders  of  e-mail  messages  with  attachments  adopted  adept  tricks  in 
attention  getting  and  trepanning  the  recipients.  Opening  the  messages 
and  the  attachments  is  the  first  goal  of  the  senders.  Generally,  they  use 
ambiguous  and  false  sender  and  subject  columns,  but  ensure  the  valid 
contents  (except  messages  spreading  viruses)  so  as  to  show  their  offers 
and  set  their  traps. 

The  surveyed  messages  with  attachments  prove  that,  except  messages 
spreading  viruses,  they  are  relatively  moderate  in  the  sense  of 
harmfulness  of  the  contents,  compared  with  the  findings  in  the  previous 
studies  that  did  not  distinguish  messages  with  attachments  from  those 
without. 

At  the  same  time,  this  study  reveals  that  the  unsolicited  e-mail 
messages  with  attachments  can  have  broader  influence  on  the  criminal 
phenomenon,  not  only  victimization,  but  also  conspiracy.  This  exploits  the 
function  of  e-mail  communications  being  an  offensive  means  by  which  the 
recipients  are  victimized  as  well  as  being  a  conspiracy  tool  with  which  the 
recipients  are  seduced  to  participate  criminal  operations. 

In  the  Internet  environment,  the  most  frequent  victimization  model 
begins  from  exposing  of  victims  to  the  potential  threats,  which  we  can  call 
as  exposing-victimization  model.  Under  this  model，  the  victim  of 
unsolicited  messages  with  attachments  merely  puts  his/her  e-mail  address 
on  the  web  pages， bulletin  board  systems,  uses  it  in  the  chat  systems,  or 
even  only  transmits  it  through  the  Internet.  The  exposure  does  not 
necessarily  mean  show-off.  Rather,  it  is  just  a  kind  of  presence  on  the 
Internet  literally  or  digitally,  something  inevitable.  Nevertheless,  the 
exposing-victimization  model  at  least  implies  that  the  senders  of 
unsolicited  messages  with  attachments  could  easily  get  the  e-mail  address 
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in  the  same  way  as  other  Internet  users  do， without  further  efforts  in 
collecting  or  harvesting  these  addresses. 

In  other  cases,  the  senders  of  messages  with  attachments  have  a 
seeking  process,  and  follow  the  seeking-victimization  model.  Due  to  the 
large  quantity  of  web  pages  and  other  Internet-related  contents,  the  direct 
artificial  collection  of  multiple  e-mail  addresses  becomes  inefficient.  The 
senders  (here  we  also  imply  address  providers)  utilize  specialized  software 
to  harvest  e-mail  addresses  from  the  Internet.  The  collecting  process 
becomes  automatic  and  efficient.  By  doing  so,  they  created  the  seeking- 
victimization  model  in  sending  messages  with  attachments.  Besides 
harvesting,  they  also  exploit  dictionary  attack  and/or  automatic 
alphabetical  permutation  and  combination  to  enumerate  possible 
usernames  in  e-mail  accounts.  These  methods  can  also  be  categorised  into 
seeking  process.  For  the  senders,  an  e-mail  account  with  a  random  word 
might  not  represent  a  specified  person;  but  for  the  recipient,  he/she  is 
readily  the  victim  of  this  unsolicited  message  with  attachment. 

The  victimization  of  recipients  of  unsolicited  messages  with 
attachments  happens  without  the  appearance  of  the  recipients  in  their  e- 
mail  account.  The  victimization  means  that  their  e-mail  accounts  are 
being  spammed,  whether  they  open  their  accounts  or  not.  Under  current 
legal  framework,  the  receiving  of  unsolicited  messages  is  sufficient  to 
constitute  victimization  of  the  behaviour  to  be  imposed  punishment. 

However,  the  victimization  of  unsolicited  messages  with  attachments 
does  not  end  at  the  initial  victimization.  The  above-mentioned  models 
could  be  called  as  the  first  level  effects  of  unsolicited  messages  with 
attachments.  Subsequently,  the  second  level  effects  are  based  on  the 
initial  victimization.  There  are  possibly  also  two  models:  initial 
victimization-  sub  sequent  victimization  model  and  initial  victimization- 
conspiracy  model. 
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The  initial  victimization-  sub  sequent  victimization  model  happens 
when  the  messages  include  viruses,  fraudulent  sales  of  goods,  or  falsified 
financing  and  banking  services.  The  first  level  victimization  is  being 
spammed,  while  the  second  level  victimization  is  being  attacked  or 
swindled. 

The  second  level  victimization  does  not  always  fulfil  so  simply.  There 
usually  involves  an  initial  victimization-exposing-seeking-subsequent 
victimization  process.  In  the  case  of  the  Nigerian  fraud  (or  419  fraud),  the 
recipients  of  the  unsolicited  messages  are  firstly  victimized  by  receiving 
this  kind  of  messages  (being  spammed).  If  they  make  positive  reaction  to 
the  messages,  they  are  further  exposing  to  the  senders.  Upon  receiving  the 
recipients’  reaction,  the  senders  will  further  seek  the  vulnerability  of  the 
recipients  and  the  possibility  of  obtaining  their  property.  The  process  of 
seeking  and  exposing  might  be  repeated  for  a  number  of  times.  If  the 
senders  succeed  in  obtaining  the  recipients’  property,  the  last 
victimization  would  happen  and  the  scam  would  end. 

The  victimization-conspiracy  model  happens  when  the  messages 
include  tax  evasion  services,  sales  of  pirated  software,  sales  of  falsified 
documents,  and  so  on.  The  recipients  of  such  offers  are  firstly  victimized 
by  the  unsolicited  messages;  and  if  they  participate  the  illegal  operations, 
they  would  become  the  conspirators  of  the  senders. 

Because  the  recipients  of  the  unsolicited  messages  inducing 
conspiracy  in  an  illegal  operation  would  expect  to  benefit  from  the 
cooperation  with  the  senders,  the  senders  are  more  likely  to  send  this  kind 
of  messages.  In  fact,  in  Nigerian  fraud,  the  senders  are  usually 
personating  politicians  who  want  to  transfer  property  (money,  diamond， 
and  so  on)  to  the  bank  accounts  of  the  recipients.  As  a  result,  the 
“conspirators”  of  money  laundering  are  finally  to  be  victimized  in  the 
trickery. 
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Conclusion 


The  phenomenon  of  unsolicited  e-mail  messages  with  attachments  further 
proved  the  low  controllability  or  uncontrollability  of  the  information 
network  environment.  Any  e-mail  address  is  vulnerable  to  unsolicited 
messages  that  were  sent  to  exposed  accounts  on  the  Internet  or  supposed 
account  according  to  the  dictionary.  For  the  senders,  both  ways  could  be 
seen  as  a  process  of  seeking.  For  recipients,  both  ways  could  also  be  seen 
as  a  process  of  exposing.  However,  these  seeking  and  exposing  processes 
have  become  more  abundant  and  colourful  in  the  Internet  environment 
than  pre-Internet  times. 

The  mere  browse  of  the  web  pages  is  the  easiest  method  to  get  e-mail 
account,  but  it  is  less  efficient.  The  sender  can  also  purchase  millions  of 
addresses  of  different  interests  of  users  from  the  specific  vendors.  Except 
an  inexpensive  price， the  buyer  can  conveniently  reach  a  majority  of  these 
addresses.  Besides,  the  address  harvesting  becomes  automatized  and 
prevalent  with  the  help  of  powerful  software.  Anyone  with  a  few  computer 
and  Internet  knowledge  has  the  ability  to  master  the  uncomplicated  skills 
and  subsequently  collect  thousands  or  millions  of  addresses  with  specific 
software,  which  can  be  downloaded  from  the  Internet  free  of  charge  or 
with  a  small  payment. 

The  exposure  of  e-mail  account  on  the  Internet  is  unavoidable, 
because  the  exposure  is  in  so  broad  a  sense  that  all  the  normal  use  of  the 
account  could  be  seen  as  an  exposing  process,  including  sending  and 
receiving  messages;  publishing  on  web  pages,  chat  rooms,  and  BBSes; 
providing  as  register  information  in  online  services;  or  exposing  nothing 
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more  than  coincidence  with  a  dictionary  vocabulary;  or  merely 
permutation  and  composition  of  letters  and  numbers  that  the  senders  also 
dope  out.  In  fact,  exposure  of  a  single  e-mail  account  will  not  be  so  risky 
without  the  harvesting  mechanism,  because  it  is  an  inefficient  way  to  pick 
up  single  e-mail  account  from  the  Internet.  However,  because  the  e-mail 
account  vendors  could  collect  and  transfer  in  a  dynamic  process,  and 
finally  form  a  growing  account  database  to  maintain  their  business.  The 
harvesting  software  and  dictionary  attack  undoubtedly  deepen  the 
victimization  of  the  e-mail  account  holders. 

In  general,  the  exposed  e-mail  account  might  face  double  risks  of 
being  victimized:  being  collected  in  formal  browse  of  web  pages  and  use  of 
other  Internet  services;  and  being  harvested  and  guessed.  Compared  with 
daily  used  e-mail  accounts  without  showing  up  on  the  web  pages  or  other 
Internet  services  except  merely  sending  and  receiving  messages,  the 
published  accounts  are  more  likely  to  be  victimized.  Therefore,  it  seems 
more  likely  that  the  process  of  harvesting  but  not  guess  that  feeds  on  the 
vendors  of  database  of  e-mail  accounts  and  senders  of  unsolicited 
messages.  As  a  result,  the  double  risks  of  exposed  e-mail  accounts  are  in 
fact  unbalanced:  the  risk  of  being  victimized  by  collectors  and  harvesters 
are  far  serious  than  the  guessers. 

The  unsolicited  messages  with  attachments  provide  e-mail  users 
many  different  choices,  either  legitimate  or  illegitimate,  either  to  conspire 
or  to  be  further  victimized  by  attached  viruses  or  pre-established  fraud 
traps.  The  majority  of  messages  in  this  study  granted  recipients  two 
alternatives:  to  conspire  in  tax  evasion,  or  to  be  damaged  by  viruses. 

In  the  case  of  conspiracy  in  tax  evasion,  the  senders  always  provide 
valid  contact  methods  so  as  to  induce  the  recipients  to  participate  in  the 
illegitimate  operations.  The  offer  seemingly  aims  to  establish  a 
relationship  between  service  provider  and  clients.  But  the  effect  is  that 


192 


they  form  conspiracy.  The  recipients  have  to  react  actively  before  they 
become  the  conspirators  of  the  tax  evasion  activities.  The  process  might 
involve  repeated  e-mail  exchanges  upon  the  initial  unsolicited  messages. 
Under  these  circumstances,  the  unsolicited  messages  might  be 
transformed  into  literally  valuable  (but  morally  wrong  and  legally 
prohibited)  information.  Such  messages  become  the  communications 
means  for  the  trespassers  and  criminals,  posing  great  threats  for  the  social 
control  over  illegal  activities. 

In  the  case  of  viruses  attack,  the  senders  exploited  social  engineering 
to  induce  the  recipients  to  open  the  messages  and  subsequently  the 
attachments,  by  blurring  the  sender,  subject  columns  and  falsifying  the 
message  contents  and  attachment  names.  These  messages  do  not  require 
replies  from  the  recipients  before  they  cause  damages.  They  are  also 
dangerous  for  the  recipients  in  the  sense  that  they  are  harming  the 
recipients’  hardware  and  software,  wasting  the  labour  force,  and  hindering 
the  business. 
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CHAPTER  VIII  CYBER  WARFARE? 


Introduction 

While  we  are  enjoying  the  fruits  of  the  possibility  of  disseminating 
information  in  large  quantities  and  at  high  speed  in  this  networked 
society,  we  have  also  to  take  the  risk  of  forcing  ourselves  to  trade 
unexpected  by-products  of  cyberspace.  Information  and  communications 
technology  (ICT)  can  produce  a  surprisingly  large  amount  of  products  and 
by-products  for  these  technology-dependent  people,  such  as  security  and 
insecurity,  welfare  and  crime,  peace  and  war,  to  name  some.  In  fact, 
insecurity,  crime  and  war  are  information  society’s  silhouettes,  merging 
easily  but  being  difficult  to  eliminate. 

Overall,  the  Internet  services  lack  of  controllability  and  become  the 
breeding  ground  of  insecurity,  as  a  response  to  which  many  governments 
have  enacted  specific  legislation  criminalizing  invasive  and  destructive 
activities  targeted  at  information  systems.  Because  security-breaking 
activities,  committed  with  the  assistance  of  the  globally-connected 
computer  networks,  can  easily  cross  the  territorial  borders,  it  is  unknown 
but  broadly  accepted  that  different  countermeasures  may  generate  a 
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paradise  for  perpetrators. 


Information  Warfare  (IW)  is  increasingly  listed  alongside  nuclear, 
chemical,  and  biological  weapons  as  a  potential  weapon  of  mass 
destruction  (WMD) — or  at  least  as  a  weapon  of  mass  disruption  (Eriksson 
1999， pp.  57-64).  Under  such  circumstances,  interest  in  and  concern  for 
cyber  warfare  have  also  been  prevalent  for  decades.  War-oriented  writer 
usually  exploited  such  serious  and  expensive  terms  as  cyber  war, 
information  war,  and  electronic  war  to  spread  their  impetuous  and  cheap 
ideas.  Using  search  engines， we  can  produce  the  following  numbers  of 
results  (as  of  July  17,  2009): 


Table  19  Online  Use  of  Cyber  War  Terms 


Google 

Yahoo 

Amazon 

(copies  of  books 

only) 

Cyber  war 

121,000, ⑻ 0 

55, 600, ⑻ 0 

697 

Cyberwar 

1,770,000 

4,740,000 

718 

Cyber  warfare 

840, ⑻ 0 

11，100, ⑻ 0 

549 

Cyber  warfare 

315, ⑻ 0 

2,890,000 

278 

Information  war 

1，140,000,000 

875,000, ⑻ 0 

26,445 

Information 

warfare 

94,800, ⑻ 0 

59，100, ⑻ 0 

4,594 

It  may  be  said  that  the  terms  are  used  in  a  way  blotting  out  the  sky 
and  the  earth  in  cyberspace.  Yet  worse,  authors  created  scores  of  books  in 
the  title  of  which  filled  with  such  terms  as  well,  mostly  without  critical 
views  against  the  abuse  of  them.  Information  society,  to  some  extent, 
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means  there  is  too  much  information  for  users  to  consume,  so  that  they 
are  frightened  by  cyber  war  and  cyber  terror,  victimized  by  cyber  bullying 
and  cyber  crime,  and  at  last  jammed  by  cyber  jokes,  cyber  hoaxes  and 
cyber  hypes. 

As  a  computer  and  network  security  researcher  and  industry  leader, 
Marcus  J.  Ranum  said  in  March  2009， 

“There  has  been  a  great  deal  of  irresponsible  and  inaccurate  talk 
about  ‘Cyber  War’  in  the  last  decade  in  spite  of  the  fact  that  it’s 
technologically  and  militarily  impractical.  Its  counterpart,  ‘Cyber 
Espionage’  makes  a  bit  more  sense,  and  is  less  mythical  but  falls  under 
the  category  of  ‘nothing  new.”’ 

Nevertheless,  there  are  still  few  people  realizing  the  real  issue  behind 
media’s  full  coverage  of  cyber  attack  during  big  or  small  international 
conflicts.  No  more  than  a  month  ago,  it  was  reported  that  Britain’s 
Security  Minister,  Lord  West,  as  he  published  the  Government’s  Cyber 
Security  Strategy,  had  issued  a  warning  about  terrorists’  intentions  of 
launching  a  cyber  warfare  battle  against  the  UK  (Gardham  2009). 

The  strategy  clarified  in  detail  the  threats  from  various  actors. 
Besides  criminals, 

“The  most  sophisticated  threat  in  the  cyber  domain  is  from 
established,  capable  states  seeking  to  exploit  computers  and 
communications  networks  to  gather  intelligence  on  government,  military, 
industrial  and  economic  targets,  and  opponents  of  their  regimes.  The 
techniques  used  by  these  state  actors  go  beyond  ‘traditional’  intelligence 
gathering  and  can  also  be  used  for  spreading  disinformation  and 
disrupting  critical  services... Some  states  also  encourage,  and  benefit  from, 
the  expertise  of  ‘patriotic  hackers’,  "carrying  out  attacks  safe  from 
prosecution  in  their  own  countries.  The  use  of  proxies  provides  state 
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actors  with  an  extra  level  of  deniabilit/’.  (UK  Office  of  Cyber  Security  and 
UK  Cyber  Security  Operation  Centre  2009,  p.  13) 

“Terrorists  and  violent  extremists  use  cyber  space  for  communication, 
co-ordination,  propaganda,  fundraising,  radicalisation,  and 
recruitment. .  .Whilst  we  expect  terrorist  groups  to  continue  to  favour 
high-profile  conventional  operations  over  cyber  attacks,  we  must  be 
vigilant  against  any  future  increase  in  capability."”  (UK  Office  of  Cyber 
Security  and  UK  Cyber  Security  Operation  Centre  2009,  p.  13). 

A  growing  tendency  is  that  many  writers  have  recognized  the 
pseudomorphism  of  the  cyber  warfare  hallucination,  revealing  the  truth 
and  interest  behind  cyber  warfare  claims.  This  essay  by  no  means 
devaluates  serious  designs  and  plans,  studies  and  research,  ideas  and 
claims  revolving  around  cyber  warfare.  Rather,  the  purpose  of  this 
Chapter  is  to  analyze  existing  jokes,  hoaxes  and  hypes  on  the  so-called 
cyber  warfare,  so  as  to  distance  serious  research  from  misleading 
information.  Serious  researchers  should  always  bear  in  mind  that  the  use 
of  information  on  cyber  warfare  in  today’s  world  is  a  thing  that  needs 
reliable  evidence， proof  and  witnesses. 


How  to  write  “the  scariest  cyber  warfare  article” 


Cyber  warfare  as  become  a  big  topic,  an  attractive  topic,  a  revenue¬ 
generating  topic,  and  a  hot  topic.  Readers  and  audience  are  willing  to  read, 
listen  and  watch  however  it  is  written,  narrated  and  performed.  Authors 
are  willing  to  write  whatever  the  readers  are  willing  to  read.  Media  are 
willing  to  publish  whatever  the  authors  are  willing  to  write  and  whatever 
the  readers  are  willing  to  read.  Every  player  meet  his/her  own  needs  in 
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one  way  or  the  other:  readers  satisfy  their  endless  curiosity  by  reading, 
writers  make  their  money  by  writing,  and  media  win  both  popularity  and 
money  from  publishing,  and  government  show  up  its  political 
achievements.  Even  the  army  will  demonstrate  their  ability  and  capacity 
by  presenting  their  understanding  of  and  deal  with  the  “big”  issue,  which 
is  something  a  mystery  for  layman.  However,  any  discourse  has  to  have 
some  structural  expression,  beginning  with  attraction,  processing  with 
ambiguity,  and  ending  with  suspense.  Yet  everything  should  not  be  so 
accurate,  so  sound,  so  clear,  and  so  sure. 

Therefore,  when  we  read  almost  all  of  the  news  reports  and  articles 
by  non-academic  authors,  we  have  the  strong  feeling  that  these  articles 
can  be  composed  by  everyone  who  is  willing  to  do  so.  Reality,  fact,  truth, 
accuracy  and  conscience  are  not  so  relevant  here.  The  only  things  are 
some  tips  that  should  be  followed.  Evgeny  Morozov  published  his 
guidance  on  “10  easy  steps  to  writing  the  scariest  cyber  warfare  article 
ever”  (Morozov,  2009a).  There,  he  sarcastically  proposed  some  tips  on  how 
a  cyber  warfare  article  can  be  manufactured.  Key  things  to  be  presented 
are:  digital  Pearl  Harbor,  2007  attacks  on  Estonia,  Chinese  hackers, 
cyber-pranks,  expert  quotations,  old  stories,  etc.  By  doing  so,  a  cyber 
warfare  article  can  be  concocted  in  a  low-cost  high-benefit  efficient  way. 

His  steps  are  (seemingly  only  9  steps,  with  original  step  7  missing. 
Here  they  are  re-numbered): 

1.  Give  a  catchy  title  with  coined  terms  such  as  “digital  Pearl  Harbor”, 
“cyber-Katrina”， and  “electronic  9/11”， but  never  explain  what  it  means; 

2.  Begin  the  story  with  2007  attacks  on  Estonia,  but  never  mention 
that  it  only  lasted  for  twenty  minutes; 

3.  Drop  references  to  Chinese  hackers  in  every  paragraph; 

4.  Mention  the  cyber-pranks  of  Kremlin-affiliated  youth  movements; 


201 


5.  Find  and  quote  industry  experts  with  the  biggest  possible  conflicts 
of  interest; 

6.  Go  and  recycle  old  facts,  quotes,  and  official  statements; 

7.  Throw  in  some  geopolitical  kerfuffle  that  involves  a  country  located 
between  China  and  Russia; 

8.  Refer  to  anything  involving  cyber  war  between  Israel  and  Palestine; 

9.  Make  sure  to  mention  that  NS  A,  CIA,  and  DIA  are  all  involved  in 
the  case,  but  they  cannot  comment. 

In  a  word,  writing  about  cyber  warfare  could  not  be  done  by  delicate 
scientific  calculation,  detailed  statistics,  real-life  interview,  deep 
investigation,  and  field  work  in  person.  It  should  be  developed  through 
imagination  under  some  kinds  of  inspiration.  It  is  like  a  sci-fi  rather  than 
a  fact  report. 

Practically,  among  others,  every  article  published  in  recent  three 
years  began  with  2007  cyber  attacks  on  Estonia,  which  has  already  been 
proved  to  be  the  act  of  a  native  ethnic  Russian  young  man.  No  nation 
state  was  ever  involved.  No  government  was  behind  him.  No  official 
coordination  ever  took  place.  Yet  they  suspected  a  country  from  beginning 
to  the  end.  Furthermore,  authors  tend  to  connect  every  catastrophic  result 
in  critical  infrastructure  in  the  real  world  with  possibility  of  interruption 
of  the  Internet.  As  typical  articles  started  the  narration  in  this  way: 

“Imagine  that  agents  of  a  hostile  power,  working  in  conjunction  with 
organized  crime,  could  cause  huge  traffic  jams  in  your  country’s  biggest 
cities-big  enough  to  paralyze  business,  the  media,  government  and  public 
services,  and  to  cut  you  off  from  the  world.  That  would  be  seen  as  a  grave 
risk  to  national  security,  surely?  Yes,  unless  the  attacks  came  over  the 
internet.”  (Economist,  2007). 
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“The  next  world  war  might  not  start  with  a  bang,  but  with  a  blackout. 
An  enemy  could  send  a  few  lines  of  code  to  control  computers  at  key  power 
plants,  causing  equipment  to  overheat  and  melt  down,  plunging  sectors  of 
the  U.S.  and  Canadian  grid  into  darkness.  Trains  could  roll  to  a  stop  on 
their  tracks,  while  airport  landing  lights  wink  out  and  the  few  traffic 
lights  that  remain  active  blink  at  random. 

“In  the  silence  and  darkness,  citizens  may  panic,  or  they  may  just  sit 
tight  and  wait  for  it  all  to  reboot.  Either  way,  much  of  the  country  would 
be  blind  and  unresponsive  to  outside  events.  And  that  might  be  the 
enemy’s  objective:  Divert  America’s  attention  while  mounting  an  offensive 
against  another  country.”  (Derene,  2009) 

In  fact,  events  in  cyberspace  could  never  be  compared  with  their 
social  counterparts.  No  one  has  reportedly  died  of  hacking,  spamming  or 
stalking.  No  company  has  reportedly  bankrupted  due  to  denial-of-service 
attacks.  Even  the  broadly  concerned  Nigerian  419  scam  has  never  had  as 
big  a  business  as  done  by  the  former  chairman  of  the  Nasdaq  stock 
market.  It  seems  that  when  people  are  unable  to  deal  with  issues  in  from 
of  them， then  they  will  look  for  some  scapegoat,  regardless  of  offline  or 
online， so  that  the  issue  can  be  enlarged  at  such  a  scale  that  it  seems 
cannot  be  dealt  with  using  normal  efforts.  As  a  result,  they  are  to  be 
excused.  Then  more  sophisticated  ideas  will  be  written;  what  are  written 
will  be  published;  what  are  published  will  be  read;  what  are  read  will 
surely  benefit  all.  Government  and  the  army  will  get  more  money  from 
taxpayers  and  employ  more  personnel,  construct  bigger  office  buildings, 
be  better  respected  by  citizens.  “Cyber  warfare”  discourse  is  helping  to 
form  a  cost-effective  new  industry.  As  Morozov  pointed  out  that, 

“Cyber- security  fears  have  had,  it  should  be  said,  one  unambiguous 
effect:  they  have  fueled  a  growing  cyber- security  market,  which,  according 
to  some  projections， will  grow  twice  as  fast  as  the  rest  of  the  IT  industry.” 
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(Morozov,  2009b) 


However,  look  at  how  media  are  trying  to  distance  themselves  from 
the  author,  even  though  they  are  pleased  to  harvest  money  from  fake 
stories: 

“Reader’s  advisory:  Wired  News  has  been  unable  to  confirm  some 
sources  for  a  number  of  stories  written  by  this  author.  If  you  have  any 
information  about  sources  cited  in  this  article,  please  send  an  e-mail  to 
sourceinfo[AT]wired.com.’’  (Retrieved  July  17，  2009  from 

http : //www.wired.com/politics/law/news/2001/ 04/43437). 


April  Fool’s  joke 


In  early  1990s， during  Gulf  War  I,  Infoworld  magazine  published  as  April 
Fool’s  joke.  The  story  claimed  that  the  National  Security  Agency  had 
developed  a  computer  virus,  called  AF/91， to  immobilize  Iraqi  air  defense 
computers  by  chomping  windows.  What  was  mystified  was  that  the  virus 
was  smuggled  into  Iraq  through  Jordan,  concealed  in  a  chip  in  a  printer. 


The  joke  was  gossiped  for  days  by  those  who  thought  it  funny  as  well 
as  those  who  missed  the  original  citation  and  engaged  in  laborious 
discussion  on  the  imagined  technology  of  the  virus  (Smith,  2003).  U.S. 
News  and  World  Report  acquired  the  story  and  published  news  of  the  Gulf 
War  virus  in  its  coverage  of  the  war  (Smith,  2003).  The  U.S.  News  and 
World  Report  wrote  that  the  Gulf  War  virus  attacked  Saddam’s  defenses 
by  “devouring  windows”  that  Iraqi  defenders  used  to  check  on  aspects  of 
their  air  defense  system:  “Each  time  a  technician  opened  a  window... the 
window  would  disappear  and  the  information  would  vanish.”  From  there, 
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the  fake  story  was  reported  by  the  Associated  Press,  CNN,  ABC  Nightline， 
and  newspapers  across  the  U.S.  (Smith,  2003). 

In  probing  the  reason  why  the  hoax  could  succeed,  Smith  (2003) 
pointed  out  that， 

“The  Gulf  War  virus  plays  to  a  uniquely  American  trait:  a  child-like 
belief  in  gadgets  and  technology  and  the  people  who  make  them  as 
answers  to  everything.  Secret  National  Security  Agency  computer 
scientists  made  viruses  that  hobbled  Saddam’s  anti -air  defense  without 
firing  a  shot!  Or  maybe  it  didn’t  work  but  it  sure  was  a  good  plan!” 

Some  years  later,  I  heard  another  piece  of  news  from  radio,  reporting 
that  there  emerged  a  kind  of  powerful  influenza  virus,  which  could  reside 
in  a  telephone  and  spread  via  the  telephone  line  to  other  telephones, 
regardless  of  however  its  length  was.  As  soon  as  the  call  from  the 
telephone  where  the  viruses  resided  was  accepted  by  the  other  side,  the 
viruses  could  transport  themselves  along  the  line  to  the  telephone  where 
they  did  not  yet  reside  by  300,000  kilometers  per  second， the  velocity  of 
light.  It  was  a  matter  of  picking  the  phone  up.  They  came  out  now  and 
then  from  the  telephone  they  resided  and  infected  people  nearby.  This 
humorous  version  of  a  horror,  integrating  both  natural  phenomena  and 
high-tech  invention， can  pose  a  more  “realistic”  threat  against  human 
beings  than  cyber  warfare  does.  Just  imagine  it. 


Rise  and  fall  of  Estonian  cyber  war  hoax 

“Estonia， a  good  place  for  an  alleged  cyberwar  because  no  real  journalists 
were  actually  interested  in  actually  wasting  their  time  in  going  there  to 
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investigate  it， is  a  fine  repeatable  tale  in  the  tradition  of  digital 
war  stories/5  (Smith  2007) 

The  term  “Estonia  under  cyber  attack”  made  many  people  to  recall 
the  breaking  news  broadcast  on  TV  on  September  11， 2001， when  several 
planes  flew  into  several  U.S.  buildings.  The  difference  between  them  is 
that  the  Estonian  version  is  a  cyber  attack.  April  of  2007  witnessed 
Estonian  authorities’  relocation  of  the  Bronze  Soldier  of  Tallinn  from  the 
center  of  the  capital  city  to  the  outskirts  of  town.  Nationalists  in  that 
country  considered  the  Soviet  Red  Army  as  occupiers  and  oppressors. 
Ethnic  Russians,  making  up  nearly  a  quarter  of  Estonia’s  population, 
were  incensed  by  the  statue’s  treatment  and  took  to  the  streets  in  protest. 
Estonia  later  blamed  Moscow  for  coordinating  the  turbulence;  order  was 
restored  after  American  and  European  diplomatic  interventions.  Days 
after  the  riots,  the  information  infrastructure  of  Estonia  began  to  fray, 
victimized  by  “denial  of  service”  attack.  A  flood  of  sham  requests  for 
information  from  computers  around  the  world  conspired  to  cripple  the 
websites  of  Estonian  banks,  media  outlets,  and  ministries  for  days. 
Estonia  denounced  the  attacks  as  an  unprovoked  act  of  aggression  from  a 
regional  enemy. 

Some  observers  reckoned  that  the  onslaught  on  Estonia  was  of  a 
sophistication  not  seen  before.  The  case  is  studied  intensively  by  many 
countries  and  military  planners  as  it  may  have  been  one  of  the  largest 
instances  of  state-sponsored  cyber  war  fare. 

Estonian  Foreign  Minister  Urmas  Paet  accused  the  Kremlin  of  direct 
involvement  in  the  cyber  attacks.  However,  on  September  6， 2007 
Estonia’s  defense  minister  admitted  he  had  no  evidence  linking  cyber 
attacks  to  Russian  authorities.  Russia  called  accusations  of  its 
involvement  “unfounded，”  and  neither  NATO  nor  European  Commission 
experts  were  able  to  find  any  proof  of  official  Russian  government 


206 


participation. 

In  early  2008， one  Estonian  ethnic-Russian  national  has  been 
charged  and  convicted.  The  so-called  Estonia  Cyber  War  turned  out  to  be 
some  Estonian  citizens’  activities.  What  an  embarrassment  for  all  those 
who  had  ever  hyped  such  a  case  as  a  cyber  war. 


A  “cyber  warfare”  years  before 

According  to  many  journalists  and  analysts,  “Cyberwar  has  always  been 
said  to  be  easy  to  do.  A1  Qaeda  has  always  been  said  to  be  working  on  it. 
Before  al  Qaeda,  it  was  Russia,  China,  India,  North  Korea.  Even  Saddam 
Hussein  was  imagined  to  be  readying  a  US-smashing  Internet  strike 
force.”  (Smith  2007) 

In  recent  years,  the  so-called  cyber  warfare  becomes  a  routine  activity 
when  ever  international  conflicts  emerge.  One  of  such  occasion  took  place 
in  2001  when  the  world  was  in  troubled  times.  Early  that  year,  a  scholar 
had  launched  a  “cyber  war”  by  himself  and  he  was  nearly  criminally 
investigated.  At  the  time,  He  was  offered  a  scholarship  to  pursue  studies 
and  research  on  economic  criminal  law  in  a  highly  industrialized  country, 
where  the  computer  and  networks  had  already  been  ubiquitously  used. 
His  office  there  was  equipped  with  a  computer  and  it  got  connected  to  the 
Internet. 

Long  before  that,  he  had  had  some  interest  in  doing  further  research 
on  cybercrime,  the  counterpart  of  which,  computer  crime,  had  been  the 
theme  of  his  master’s  degree  thesis. 

Lawyers  whose  research  was  focused  on  legal  issues  in  cyberspace 
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generally  did  not  probe  the  mechanism  of  these  activities  in  detail.  In  this 
occasion,  in  order  to  better  understand  how  the  computer  could  be 
compromised,  he  decided  to  do  a  series  of  experiments.  He  made  contact 
with  some  laboratories  in  West  Europe  and  North  America  for  potential 
opportunities  to  be  hosted,  but  only  in  vain.  Finally,  he  began  to  change 
his  office  into  his  own  laboratory,  using  two  notebook  computers.  The  first 
step  of  his  experiment  was  to  test  the  security  level  of  computers  in 
several  universities  and  other  institutions  in  several  countries  located  in 
different  continents,  so  that  he  could  have  first-hand  knowledge  about 
whether  they  were  protected  and  to  what  extent  they  were  secure.  The 
experiment  was  done  by  using  programs  publicly  available  on  the  web.  No 
one  said  whether  such  tools  were  legal  or  not.  No  one  prohibited  them 
from  being  created  and  disseminated.  He  just  used  such  tools  in  his 
experiment  to  look  for  externally  accessible  computers  online.  Upon  setup 
the  parameters,  the  work  was  automatically  done,  with  open  ports  listed. 
During  a  time  span  of  around  10  days,  he  used  his  computers  at  work  in 
day  time， and  left  them  doing  the  research  in  night  time. 

He  took  down  each  open  vulnerable  computer  in  a  note  book.  After 
some  days,  hundreds  of  thousands  of  computers  had  been  tested; 
hundreds  of  such  computers  had  been  found,  including  those  in  use  at 
universities  in  that  country  and  other  countries.  By  this  record,  he  could 
do  quite  a  lot  of  analysis. 

His  work  would  have  never  been  completed  voluntarily  as  the  result 
would  surely  have  been  of  great  value  for  his  research. 

However,  all  of  a  sudden,  his  computers  were  taken  offline  by  the 
computer  centre  of  the  host  university,  and  an  investigation  was  set  out 
firstly  by  a  professor  at  the  same  faculty,  who  also  did  research  on 
informatics. 
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According  to  the  IP  address  assigned  to  me  in  advance,  he  visited  his 
office  and  had  a  brief  look  at  his  laptops.  He  just  confirmed  that  the 
suspected  IP  address  was  that  had  been  used  in  the  suspected  attack. 

As  a  response,  he  paid  a  visit  to  the  professor’s  office  soon  after  and 
explained  his  awkward  work  during  the  past  days.  The  professor  had 
opened  an  email  message  on  his  desktop  screen,  saying  that  the  computer 
centre  had  noted  abnormal  activities  from  a  computer  with  a  certain  IP 
address,  which  should  have  been  assigned  to  a  user  at  this  faculty.  The 
influence  of  this  was  that  the  abnormality  exploited  quite  some  the  then 
scarce  bandwidth  and  the  network  connection  at  this  university  became 
slow.  Then  the  computer  centre  requested  the  professor’s  assistance  with 
the  investigation.  The  professor  was  the  just  person  he  gave  his  confession 
and  showed  his  record  of  “open  ports”  from  some  top  universities.  Besides, 
the  professor  had  a  proof  for  his  motive  in  the  form  of  a  manuscript  of  an 
article. 

The  university’s  computer  centre  was  once  concerned  with  his  act. 
But  after  the  professor  understood  all  he  had  done,  the  professor  told  him 
two  points: 

1.  Stop  his  experiment  immediately  even  if  it  was  useful  for  me; 

2.  Let  him  ensure  no  actual  access  to  any  computer  and  investigation 
would  concluded,  and  no  worry. 

He  was  fortunate  as  his  experiments  were  understood  by  a  professor 
who  knew  both  computer  science  and  law;  and  the  computer  centre  was  so 
wise,  nice  and  kind  that  they  didn’t  take  the  matter  for  granted  as  a  crime 
or  a  war.  He  was  not  an  offender,  nor  a  warrior. 

Many  others  were  not  as  lucky  as  him.  In  approximately  the  same 
season,  a  student  at  another  university  was  found  guilty  of  using  a 
computer  doing  similar  things  as  his,  accessing  several  computers  in  that 
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country,  revising  data  or  even  programs  in  them.  That  student’s  case  was 
investigated  by  criminal  police  and  he  made  real  trouble  with  his 
computer.  He  might  have  not  given  as  perfect  an  explanation  about  his 
work  as  the  scholar  had  about  mine.  Thus  he  might  well  be  regarded  as  a 
cyber  offender,  or  a  cyber  warrior,  or  even  a  cyber  spy.  A  long  judicial 
procedure  and  investigation  were  waiting  for  him,  enough  to  interrupt  his 
study. 

In  the  scholar’s  opinion,  the  sophistication  and  scale  of  so-called  cyber 
warfare  can  undoubtedly  realized  by  one  single  person  with  one  single 
computer,  not  to  say  many  users  might  make  spontaneous  reaction  to  a 
certain  event.  They  do  not  need  any  coordination;  but  the  timing  of  the 
event  might  act  as  a  “coordinator”.  Sometimes,  two  separate  attacks 
might  just  coincided  in  time,  target  or  origin,  as  millions  of  users  might  be 
online  at  any  moment,  and  that  two  or  more  users  with  similar  interest  or 
sentiment  act  simultaneously  does  not  sound  so  fictional. 

But  media  might  misconnect  some  individual  people,  individual 
events,  individual  targets  or  individual  origins  with  each  other  and  create 
some  mysteries  of  cyber  warfare.  Stories  from  one  source  read  imaginative; 
from  two  sources  read  justified;  and  from  three  or  more  sources  read  as 
true  as  facts.  Once  something  is  labeled  cyber  warfare,  other  things  can  be 
similarly  labeled  as  well.  Then  the  discourse  of  “cyber  warfare”  will  detect 
its  expression  in  real  life.  Cyber  warfare  industry  will  create  quite  good 
business  opportunities  for  interested  players  all  across  the  society. 


Conclusion 


There  has  been  a  growing  concern  over  cyber  warfare  have  in  recent 
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decades.  War-oriented  writer  usually  exploited  such  serious  and  expensive 
terms  as  cyber  war,  information  war,  and  electronic  war  to  spread  their 
impetuous  and  cheap  ideas.  More  and  more  parties  are  involved  in 
spreading  the  discourse  about  the  potential  threat  of  cyber  warfare.  All  of 
them  seem  to  benefit  from  an  enlarged  version  of  an  imagination.  A  new 
industry  is  growing  up,  exploiting  new  terminologies  such  as  cyber 
warfare,  electronic  war,  and  information  warfare.  Examples  given  in  this 
essay  are  only  tip  of  the  iceberg.  Here,  I  want  to  borrow  from  Morozov 
(2009b),  saying  that, 

“The  age  of  cyber-warfare  has  arrived.  That,  at  any  rate,  is  the 
message  we  are  now  hearing  from  a  broad  range  of  journalists,  policy 
analysts,  and  government  officials.” 
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CHAPTER  IX  SPYWARE  AND  SPY  AFFAIR 


Spyware:  a  security  issue,  not  a  definition  issue 

The  development  of  information  and  communications  technology  (ICTs) 
brings  about  broad  survival  space  for  both  individual  and  organizational 
users.  Electronic  life  becomes  usual  practice,  with  indicators  such  as 
growth  of  the  number  of  personal  computers  and  Internet  users,  the 
increase  in  the  number  of  web  sites,  Internet  hosts  and  web  pages, 
bandwidth  growth,  the  growth  of  scale  of  e-commerce  and  e-governance  (Li 
2008， pp.  82-89).  People  connected  through  information  system  might 
neither  necessarily  be  as  good  as  within  a  Weberian  formally  rational 
regime,  nor  necessarily  be  as  bad  as  in  a  Hobbesian  “war  of  all  against  all”, 
nor  as  ideal  as  Platonian  Republic,  and  Moresian  Utopia  (Li  2006d). 
Cybersecurity  can  only  be  perceived  as  a  relative  concept  (Li  2006a;  Li 
2006b).  Vulnerabilities  of  the  information  society  loom,  however,  on  the 
horizon  of  people’s  longing  for  an  optimistic  future  (Li  2008， pp.  89-111). 
Netizens  are  surprised  at  the  rise  of  threats  of  malicious  codes  to 
information  security  of  states,  enterprises  and  individuals,  for  instance.  As 
far  as  cyberinsecurity  and  cybercrime  are  concerned,  people  have  puzzled 
their  brains  to  find  workable  solutions  (see  Li  1992;  Li  1994;  Li  2006a;  Li 


2006b;  Li  2006c;  Li  2006d;  Li  2006e;  Li  2007a;  Li  2007b;  Li  2008).  Yet 
these  ghost  trouble  and  unwanted  perplexities  do  not  show  any  mercy  for 
anyone  who  connected  to  the  globalized  digital  networks. 

One  such  example  is  spyware,  which  is  a  growing  threat  to  the 
privacy  of  Internet  users  and  is  attracting  increasing  attention  worldwide 
(Federal  Trade  Commission  2005;  Anti- Spyware  Coalition  2007; 
Organization  for  Economic  Co-operation  and  Development  2006; 
Rotenberg  2008;  Hackworth  2005;  Saroiu， Gribble,  and  Levy  2004; 
Commission  of  the  European  Communities  2006).  Spyware  is  a  rising 
vexation  to  organizations  interested  in  safeguarding  their  own  proprietary 
intellectual  property  and  sensitive  information.  It  was  estimated  that 
overall  malicious  codes  phlebotomized  about  11  billion  Euros  from  the 
global  economy  in  2005  (Computer  Economics:  the  2005  Malware  Report, 
cited  in  Commission  of  the  European  Communities  2006， p.  3).  While 
malware  economy  has  ripened,  one  of  the  central  obstacles  that  legislature 
is  encountering  when  they  introduce  new  law  is  still  on  the  starting  point 
of  giving  acceptable  definitions  (Fox  2005,  pp.  1-2). 

The  originality  of  spyware  has  generally  been  traced  back  to  online 
commercial  advertising  practice,  which  primarily  took  forms  of  banner  and 
pop-up  windows  and  was  cost-ineffective.  While  dissemination  of  software 
with  advertising  functions  plays  an  effective  role  in  marketing,  technical 
development  promotes  the  evolution  of  spyware  and  increasingly  spreads 
ActiveX  controls  with  such  functions.  Creating  and  spreading  ActiveX 
controls  thus  becomes  a  paid  employment.  Due  to  lack  of  legal  foundation 
for  making  judgment  concerning  the  nature  of  spreading  or  prohibiting 
spyware,  developers  of  spyware  and  anti- spyware  are  involved  themselves 
in  circular  legal  actions  to  maintain  their  own  interests. 

Besides  some  kinds  of  spyware  with  clear  purpose  for  stealing  users1 
information,  it  is  complicated  to  evaluate  whether  other  kinds  of  spyware 


214 


with  commercial  purposes  are  harmful  to  users.  Examples  include 
assistant  Internet  tools,  which  at  the  same  time  of  providing  users  with 
convenience， collect  users'  information.  Existing  laws  in  the  world  have 
not  clearly  defined  them.  Left  undeterred,  spyware  continues  to  present 
substantial  harms  to  Internet  users  and  to  the  Internet  as  a  whole 
(Edelman  2008). 

Although  there  can  hardly  be  a  consensus  on  how  to  define  spyware 
due  to  diversified  viewpoint,  to  the  greatest  extent  of  proximity,  it  is 
usually  regarded  as  installed  without  permission,  and  gathering  sensitive 
information  (sample  definitions， see  Anti- Spyware  Coalition  2007， p.  1; 
Federal  Trade  Commission  2005， pp.  3-5;  Curtin  2004， p.  1;  Nelson  and 
Simek  2006;  Fox  2005， p.  2;  Figliola  2006,  pp.  1-3;  Hackworth  2005,  p.  2; 
Saroiu,  Gribble， and  Levy  2004， p.  1;  Commission  of  the  European 
Communities  2006,  p.  3).  Spyware  can  be  used  to  deceive  the  user,  forcibly 
revise  system  setup,  and  secretly  collect  information  from  the  host 
computer.  As  a  consequence  of  spyware  infections,  the  victim  may  be 
inundated  by  pop-up  advertisements,  the  victim’s  financial  information  or 
passwords  may  be  stolen,  and  the  victim’s  computer  may  be  rendered 
useless.  In  other  words,  spyware  can  spy:  capturing  keystrokes, 
screenshots,  authentication  credentials,  personal  email  addresses,  web 
form  data,  internet  usage  habits,  and  other  personal  information,  by 
delivering  data  to  online  attackers  who  use  it  to  carry  out  further  offences, 
such  as  identity  theft,  fraud,  spam  and  so  forth  (Hackworth  2005,  p.  2).  As 
most  misbehavior  does  in  the  cyberspace  (see  Li  2007b)， activities 
involving  spyware  are  by  and  large  intertwined  with  other  kinds  of 
activities,  causing  far  greater  imperilment  than  it  does  alone. 

This  Chapter  will  put  spyware  on  a  platform  of  social  legal 
phenomena,  giving  a  review  of  taxonomy,  characteristics,  threatened 
interests  and  interest  groups  revolving  around  the  standpoints  for  and 
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against  the  prohibition  of  spyware.  Upon  its  appearances,  the  Chapter 
takes  a  look  at  current  legal  actions  against  spyware. 


Spyware  for  spy  affairs 


Large  and  increasing  is  the  number  of  spyware,  the  classification  of  which 
seems  unmanageable  and  complicated.  Spython  (at 
http://www.spython.com/spyware.aspx)  could  detect  912  spyware  programs, 
Paul  Collins  (2008)  found  16,820  on  the  Internet,  and  Spyware  Vaccine  (at 
http://www.spywareremover.org/)  could  detect  more  than  50,000.  Pop-Up 
Sentry  (at  http://www.popupsentry.com/spyware.html)  blocked  and 
removed  1,500  applications  that  are  responsible  for  serving  pop-ups.  In  the 
meanwhile,  spyware  can  be  categorized  under  different  definitions  and 
according  to  different  standards.  Scholars  have  suggested  numerous  plans 
for  classifying  spyware.  Spywaredb  (at  http://www.spywaredb.com/)  listed 
27,604  spyware  programs  and  identified  three  most  common  forms: 
adware,  Trojans  and  cookies.  Spam-site  (at  http://www.spam- 
site.com/spyware/spywaretypes.slitml)  concluded  spyware  into  four  type: 
adware,  browser  hijack,  keyboard  logger,  and  modem  hijacker.  Software 
Tips  and  Tricks  (at 

http://www.softwaretipsandtricks.com/windowsxp/articles/590/l/Different- 
ty  p  e  s  -  of-  -  Spyware)  listed  six  types  of  spyware:  parasiteware,  adware, 
spyware,  malware,  pagehij ackers,  and  dialers.  Anti  Spyware  Review  (at 
http://anti-spyware-review.toptenreviews.com/types-of-spyware.html) 
listed  eight  types:  Internet  URL  loggers  and  screen  recorders,  chat  loggers 
and  email  recorders,  keyloggers  and  password  recorders,  web  bugs, 
modem  hijacking,  PC  hijacking,  and  Trojans  and  viruses.  Free  Spyware 
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Removal  (at  http://www.freespywareremoval.org/spyware-types/)  grouped 
into  six  types:  URL  loggers  and  screen  capture,  email  and  chat  loggers, 
password  loggers  and  keystroke  capture,  hijacking,  modem,  and  pop-ups. 
Pareto  Logic  (at 

http://www.paretologic.com/resources/types_of_spyware.aspx)  listed  15 
types:  adware,  browser  helper  object,  browser  hijacker,  dialer,  downloader, 
exploit,  flooder,  keylogger,  malware,  remote  administration  tool,  spyware 
and  surveillance,  trackware  and  data  miner,  Trojan  and  worm.  Consumer 
Software  Working  Group  identified  three  practices  involving  the  use  or 
distribution  of  spyware:  hijacking,  surreptitious  surveillance,  and 
inhibiting  termination.  Boldt， Carlsson  and  Jacobsson  (2004)  grouped 
spyware  into  cookies  and  web  bugs,  adware,  tracks,  browser  hijackers, 
spybots， system  monitors,  and  malware  (pp.  3-4).  “iolo  Technologies” 
(2007b)  classified  it  into  adware,  browser  helper  object,  dialer,  keystroke 
logger， malware,  remote  administration  and  miscellaneous  category. 

Some  other  actors  classify  spyware  without  an  unambiguous 
definition.  A  significant  example  is  that  of  Anti- Spyware  Coalition,  which 
turns  to  the  underlying  technology,  classifying  spyware  into  eight  different 
categories  (Anti-Spyware  Coalition  2007， pp.  4-5).  Their  classification  is 
relatively  comprehensive  and  broad,  but  blends  spyware  programs  with 
both  legal  and  illegal  intentions. 

Generally,  four  types  of  spyware  can  be  identified  according  the  two 
factors  that  should  be  contained  in  the  spyware  definition:  secretly 
installed  and  compromising  data.  The  first  type  is  adware,  which  is 
designed  for  advertising  bypassing  the  normal  operation  that  the  user 
expects.  The  second  type  is  machine  hijackware,  which  is  designed  for 
remote  access  or  control  of  machine.  The  third  type  is  system  hijackware, 
which  is  designed  to  modify  system  and  change  user  experience.  The  last 
type  is  trackware,  which  is  designed  to  monitor  user  behavior  or  collect 
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user  information.  From  these  categories  and  their  functions,  we  can 
intelligibly  realize  that  not  all  of  them  are  solely  created  for  malicious 
intentions.  Some  of  them  were  initially  invented  from  a  malicious  starting 
point,  but  are  later  also  used  in  legitimate  marketing  and  managing 
activities.  Yet  some  of  them  were  first  compiled  for  legitimate  use,  but  are 
later  misused.  When  we  consider  legal  regulation  on  this  issue,  however, 
we  put  stress  weight  on  the  negative  aspects  of  spyware,  even  though  we 
do  not  necessarily  view  all  the  types  and  kinds  as  maliciously  created 
and/or  operated. 


Spyware  and  spy  ways 


Spyware  is  located  in  a  grey  area  between  legal  commercial  software  and 
computer  viruses.  Intense  disagreement  over  the  definition  and 
classification  of  spyware  leads  to  a  lack  of  action  (Braff  2005).  However, 
the  common  natures  of  spyware  are  that  such  software  is  disseminated 
through  advertisements  and  other  social  engineering  means  and  installed 
forcibly  or  secretly  on  users’  computers  without  users’  knowledge  or 
consent.  Compared  with  software,  it  can  have  broad  influence  on  machines 
and  data,  for  example,  slowing  computers  down,  making  browser  display 
abnormal,  or  even  despairing  the  systems.  Its  acatalapticness  and 
uncontrollability  is  perceptible.  Most  kinds  of  spyware  are  characterized 
by  the  following  three  aspects: 

1.  Unauthorized  installation.  Oftentimes,  adware  vendors  claim  that 
their  software  is  installed  on  users’  computers  only  after  users  receive  the 
agreement  (Edelman  2008).  Spyware  typically  installs  itself  furtively 
through  one  of  three  methods.  Some  of  them  are  installed  automatically 
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without  the  knowledge  or  consent  of  users,  sometimes  through  bundling, 
that  is,  along  with  a  program  that  the  user  intentionally  downloads. 
Flourishing  Peer-to-Peer  file  sharing  software  has  provided  good 
opportunities  for  those  distributing  spyware  via  bundling. 

Users  are  deceived  into  installing  spyware  onto  their  systems  because 
spyware  authors  and  distributors  use  various  social  engineering 
techniques  to  induce  users  to  install  their  spyware.  Some  are  installed 
through  deceptive  means  without  obvious  prompt.  In  some  other  cases, 
the  computer  user  is  asked  to  click  “yes”  or  “no”  to  some  prompt  in  a  pop¬ 
up  window,  where  either  choice  results  in  the  installation  of  spyware  on 
the  user’s  computer.  While  some  spyware  tricks  users  into  installing,  other 
spyware  spreads  by  exploiting  loopholes  in  applications  (United  States 
Government  Accountability  Office  2005， pp.  32-33)， as  in  FTC  v.  Seismic 
Entertainment  (Federal  Trade  Comm’n  v.  Seismic  Entertainment 
Productions,  Inc”  Civ.  No.  04-377-JD， 441  F.Supp.2d  349， 2006-1  Trade 
Cases  1f75,333  (D.N.H.  2006)).  Users  are  usually  more  likely  to  get 
arrested  by  spyware  when  they  visit  adult  sites， download  computer 
programs,  play  online  games,  download  music,  share  files,  download 
computer  games,  download  screensavers,  and  buy  a  product  online  (Fox 
2005,  p.  4). 

2.  Spyware  is  difficult  to  detect  and  delete  by  users.  Spyware  works  in 
a  clandestine  and  an  obstinate  way,  having  high  capacity  for  self¬ 
protection.  The  removal  of  spyware  is  regarded  as  an  additional  difficulty 
(United  States  Government  Accountability  Office  2005,  p.  33). 

3.  Disturbing  normal  use.  Spyware  can  reduce  functions  of  the 
computer,  slowing  systems  down.  Such  disturbances  may  take  the  form  of 
new  toolbar,  new  desktop  shortcuts,  undesired  homepage,  unknown  search 
engine  and  search  results,  non- default  error  page,  repeated  popup 
advertisements,  consumption  of  network  efficiency,  jamming  of  network 


219 


flow,  modification  and  deletion  of  data,  modification  of  account  ID  and 
passwords,  and  loss  of  complete  control  over  the  computer.  As  Edelman 
(2008)  pointed  out  that  “a  computer  with  spyware  or  adware  is  often 
virtually  crippled-  filled  with  so  many  popups  that  doing  other  work  is 
impossible  or  impractical,  and  slowed  so  dramatically  that  it  is 
unappealing  to  use  the  computer  for  ordinary  purposes.”  As  a  consequence, 
Fox  (2005)  estimated  that  millions  of  computers  had  been  becoming 
overwhelmed  with  unwanted  software  programs  that  slowed  performance 
(p.  l). 

Furthermore,  the  prevalence  of  spyware  affects  users'  online  behavior 
as  an  emergency  reaction.  They  may  tend  to  adopt  such  defense 
mechanisms  as  stopping  visiting  particular  Web  sites,  stopping 
downloading  software  from  the  Internet,  stopping  downloading  music  or 
video  files  from  peer-to-peer  networks， and  starting  using  a  different  web 
browser  (Fox  2005,  p.  5). 

4.  Spying  for  control,  and  spying  for  confidentiality.  Overall,  spyware 
is  either  created  for  control  or  operated  for  control,  compromising  machine, 
system,  or  information.  In  detail,  the  working  mechanisms  of  spyware 
include  control  over  others*  computers,  making  changes  to  settings  or  files, 
degrading  computer  operation  and  worker  productivity,  compromising 
information  security,  and  posing  serious  security  risks. 


Spyware  as  a  business 


The  traditional  notion  of  spy  has  multifaceted  meanings.  Spies  can  always 
be  classified  into  positive  spies， neutral  spies  and  negative  spies,  based  on 
their  roles  for  or  against  classifier’s  interests  according  to  classifier's 
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judgment.  Undoubtedly,  spy  being  good  or  bad  are  dependent  on  who  spies 
and  for  whom  the  spy  spies. 

With  spyware’s  purpose  for  develop  and  target  for  operation,  spyware 
can  be  regarded  as  having  been  developed  as  a  new  business.  Unlike 
original  types  of  malicious  software  that  was  created  solely  for  the  purpose 
of  destroying  users’  hardware,  software,  or  data,  subsequent  variants  of 
malicious  software  have  increasingly  meddled  in  users’  control  over  their 
own  machines  and  data.  When  new  variants  evolved  from  their  malicious 
software  ancestors,  they  nurtured  the  new  ambition  for  seeking  profits. 
Many  different  players  are  participating  in  the  division  of  labor  and  share 
of  profits  in  this  business.  These  players  can  be  divided  into  two  categories: 
insiders  and  outsiders. 

Inside  players  are  those  who  make  a  profit  on  or  take  a  loss  from 
being  positively  or  passively  involved  in  spyware-related  activities.  They 
can  further  be  divided  into  three  subcategories: 

A.  Symbiotic  inside  player:  producer,  beneficiary,  and  victimized 
target  user.  Core  players  in  spyware  industry  are  they,  whose  activities 
are  necessary  components  in  the  industry,  and  without  whom  the 
emergence,  existence  and  development  of  the  industry  would  be  impossible. 

B.  Autoecious  inside  player:  victimized  target  user  protector.  They  are 
those  who  claim  to  be  representatives  of  consumers  and  other  users.  Their 
just  existence  has  been  dependent  on  the  reality  that  consumer  rights  are 
frequently  infringed. 

C.  Successive  inside  player:  anti- spyware  industry,  security  expert, 
legislator,  law  enforcement.  They  are  those  who  seek  overall  solutions 
against  spyware.  Nevertheless,  their  opportunities  rely  on  the  emergence 
and  existence  of  negative  influence  of  spyware. 

Outside  players  are  those  who  make  use  of  the  existence  of  the  reality 
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of  spyware-related  activities.  They  can  further  be  divided  into  three 
subcategories  as  well: 

A.  Symbiotic  outside  player:  non-beneficiary  and  non-victim  observer. 
They  those  who  are  indifferent  to  the  occurrence  of  spyware  phenomena 
and  the  actualization  of  spying. 

B.  Autoecious  outside  player:  mass  media.  They  are  those  who  claim 
to  disclose  actual  facts  behind  the  phenomena  of  spyware.  Yet  they  do  not 
take  strict  scientific  approaches  in  their  investigation. 

C.  Successive  outside  player:  researcher  and  teacher.  They  are  those 
who  describe  the  phenomena,  reveal  the  reality,  explore  the  impact, 
explain  the  discovery,  discuss  different  ideas,  reason  the  hypothesis,  and 
establish  a  theoretical  frame. 

These  players  have  different  attitude  towards  the  creation, 
dissemination,  operation,  mischief,  and  general  prevalence  of  spyware: 
many  of  them  can  benefit  from  the  just  negative  effect  of  spyware  on  users, 
networks,  and  society  (see  Table  21). 


Table  20  Attitude  of  Involved  Players  in  Spyware  Business 


Spyware 

tolerance 

Spyware  neutral 

Spyware  averse 

Creator 

Sense  of 

achievement, 

financial  gain, 

earning  a  high 

reputation 

Customer 

Exploiting  the 

function  of 
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spyware  to 

advertise,  spy 

and  attack 

opponent 

Target  user 

Fulfilling 

customization, 

getting 

advertised,  etc. 

Nothing  special 

happens, 

enjoying  some 

small  annoyances 

Being  exploited 

of  time， 

concentration, 

energy,  and 

psychic. 

Hardware  being 

slowed  down, 

network  being 

disconnected, 

personal 

information  being 

stolen 

Intruder 

Easy  to  control 

others 

Real  spy 

Easy  to  spy 

others 

Advertiser 

Easy  to  inform 

others  of  its 

products  or 

services 

Hardware 

manufacturer 

Encouraged  to 

invent  securer 

and  faster 

machine,  and 

new  and  good 
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machine  makes 
more  money.  If 
Microsoft 
Windows  Vista 
can  run  on  an 
Intel  Pentium 
100  machine, 
then  many 
current  computer 
companies  will 
bankrupt. 

Hardware  vendor  Old  types  of 

machine  may  be 
excluded  by 
slowing-down 
brought  about  by 
spyware. 
Hardware  vendor 
may  have  a  little 
bit  to  lose. 

Updated  New  type  of 

hardware  vendor  hardware  has 
broader  market 

Software  writer  Encouraged  to 
write  more 
secure  software 

Software  vendor  Old  software  may 

be  disqualified  in 
the  new  security 


environment. 

Anyway,  software 

vendor  has  little 

to  lose. 

Updated  software 

vendor 

New  software  has 

broader  market 

Anti-spyware 

producer 

Winning  market 

through  panic 

created  by 

spyware’s  broad 

spread. 

Whenever  there 

is  spyware  and 

other  viruses, 

there  is  a  market 

for  anti-virus 

producer.  All 

viruses  of  bad 

nature  are 

welcome.  If  you 

don't  scare  users, 

then  we  will  be 

dismissed. 

Security  expert 

Current  experts 

enjoy  higher 

reputation  and 

status,  and  get 

more 

employment 

opportunities 

Current  security 

expert  may  feel 

too  busy  dealing 

with  security 

problems,  and 

have  to  learn 

more 
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sophisticated 

skills. 

Mass  media 

Job 

opportunities, 

and  new 

headlines 

Legislator 

Job  opportunities 

Law  enforcement 

Job 

opportunities, 

and  new  reason 

for  budget 

More  work  load, 

and  new  skill 

requirement 

Professor 

New  field  of 

academic  career 

Researcher 

New  field  of 

academic  career, 

project  and  new 

funding 

opportunities 

Cerebration  of  international  and  domestic  legal  actions  against 
spyware 


When  I  dealt  with  the  problem  of  general  phenomena  of  cybercrime  and 
explain  why  cyberized  society  created  an  uncontrollable  situation,  and 
explored  the  disputability  of  online  content  and  activities,  I  pointed  out 
that, 
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“The  old  and  new  diversity  between  cultures,  societies  and  laws  has 
not  necessarily  been  diminished  by  the  common  networks  of  information 
systems.  On  the  contrary,  universal  information  systems  bring  in  a 
diversity  from  offline  to  online,  and  bring  about  a  diversity  between  offline 
and  online.”  (Li  2008， p.  96)  Information  systems  can  accommodate 
contents  of  different  value-orientation  and  activities  of  a  differing  legal 
nature,  usually  creating  controversies  among  the  various  jurisdictions.  As 
a  result,  the  authorities  in  the  country  where  the  content  or  activities  are 
legal  cannot  provide  sufficient  protection  for  people  who  publicize 
legitimate  speech  or  carry  out  legitimate  activities,  and  cannot  prohibit 
infringements  and  impose  sanctions  on  people  who  infringe  these  legal 
rights.  Similarly,  authorities  in  a  country  where  the  contents  or  activities 
are  illegal  cannot  impose  sanctions  on  people  who  breach  the  proscription, 
and  cannot  protect  people  who  obstruct  the  illegal  contents  or  activities 
from  wrong  prosecution  by  a  country  where  people  adopt  contrary 
standpoints  to  the  legal  nature  of  these  contents  or  activities  (Li  2008,  p. 
99). 


This  diversity  created  a  legal  gap  between  countries  of  different 
cultural  tradition,  social  systems  and  value  judgment.  Subsequently, 
countries  are  divided  into  different  jurisdictions  over  the  issue  of  spyware. 
Laws  are  different,  and  jurisdictions  are  different,  too.  Negotiations  must 
be  carried  out,  and  consensus  must  be  reached,  both  of  which  are 
unimaginably  time-consuming.  Appeal  to  international  harmonization 
sounds  like  an  ideal  solution  but  impractically  far-off.  International 
harmonization  has  hitherto  been  primarily  the  forum  of  the  developed 
countries.  The  working  mechanism  of  an  effective  international  treaty  is 
for  all  of  the  signatory  countries  to  take  effective  action  and  preserve  a 
common  theatre  of  operation.  The  treaty  is  not  aimed  at  any  third  party 
and  thus  the  third  party  is  not  restrained  by  it.  Along  with  the 
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development  of  the  Internet  globally,  the  number  of  cybercrimes  will  be 
correlated  with  the  population  base  of  Internet  penetration,  and  the  global 
population  base.  Most  of  the  present  international  harmonization 
measures  against  cybercrime  have  not  been  incorporating  the  countries 
with  the  largest  population.  This  will  make  the  measures  less  effective  (Li 
2008,  pp.  334-335). 

At  the  same  time， countries  may  hold  different  attitudes  towards 
introducing  new  laws  against  spyware.  Some  countries  may  think  they 
have  already  had  enough  cybercrime  laws  tackling  this  issue,  punishing 
spyware  with  provisions  on  illegal  access,  illegal  interception,  data 
interference,  system  interference,  and  misuse  of  devices  as  may  be  the 
case  of  most  member  states  European  Convention  on  Cybercrime.  Other 
countries  may  not  be  possible  to  apply  their  existing  laws  because  of  their 
fussy  process  of  legislation  as  is  the  case  of  the  US.  These  two  groups  of 
countries  cannot  simply  reach  a  consensus  on  applying  existing 
international  agreements. 

Then  we  have  to  sue  to  domestic  law.  Domestic  law  is  much  easier  to 
be  enacted  than  an  international  treaty.  Within  a  country,  however,  the 
above-mentioned  diversity  can  well  be  translated  into  the  field  of  conflict 
of  interests.  Today,  it  is  straightforward  to  recognize  that  feasible 
domestic  legislation  and  enforcement  can  assist  to  prevent  the  negative 
influence  of  spyware  (Edelman  2008).  However,  legislation  and 
enforcement  are  not  an  issue  of  whether  there  exist  an  unambiguous 
definition  on  what  are  malicious  spyware  and  whether  malicious  spyware 
should  be  prohibited,  but  an  issue  of  tussle  between  interest  groups  and 
their  representatives  in  legislature  and  judicial  organs.  Anti-spyware 
advocators  believe  that  current  legal  actions  are  inadequate,  while 
opponents  argue  that  industry  self-regulation  and  enforcement  of  existing 
laws  are  sufficient  (Figliola  2006， p.  1).  Disputation  occurs  whenever 
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confront  the  spyware  creators;  disseminators;  advertisers;  consumers; 
state,  business  and  personal  secret  keepers;  privacy  protectors;  legislators 
of  various  value-orientation;  and  law  enforcers  of  different  interest.  In  a 
word,  there  can  not  be  a  single  discourse  concerning  whom  the  law  will 
protect  and  prohibit.  Law’s  goals  can  become  promiscuous  and  bedimmed 
if  no  law  at  all.  Legislative  practice  in  the  US  against  spyware  has  already 
taught  us  plenteous  lessons  (see  a  random  example  in  Wenham  2002). 


In  the  US,  as  of  September  2008， no  federal  has  been  enacted 
specifically  against  spyware.  Different  pieces  of  anti-spyware  legislation 
have  passed  the  House  of  Representatives  but  have  not  proceeded  any 
further.  At  the  state  level,  as  of  March  2008， fourteen  state  legislatures 
have  adopted  some  form  of  anti- spyware  legislation  and  more  states  are 
considering  anti-spyware  legislation.  Indeed,  some  states  have  computer 
trespass  or  computer  privacy  statutes  that  effectively  prohibit  the  use  of 
spyware.  Spyware  legislation  has  been  passed  in  Alaska  (Alaska  Stat. 
§45.45.792)， Arizona  (Ariz.  Rev.  Stat.  Ann.  §§44-7301  to  44-7304)， 
Arkansas  (Ark.  Stat.  Ann.  §§4-11-101  to  4-11-105， Ark.  Stat.  Ann.  §19-6- 
301， Ark.  Stat.  Ann.  §19-6-804)， California  (Cal.  Bus.  &  Prof.  Code  D.  8 
§§22947  to  22947.6)， Georgia  (Ga.  Code  §§16-9-152,  16-9-157)， Indiana 
(Ind.  Code  §24-4.8-1  et  seq.， Ind.  Code  §24-4.8-2  et  seq， Ind.  Code  §24-4.8-3 
et  seq.)， Iowa  (Iowa  Code  §§715.1  to  715.8)， Louisiana  (La.  Rev.  Stat.  Ann. 
§§51:2006  to  51:2018)， Nevada  (Nev.  Rev.  Stat.  §205.4737),  New 
Hampshire  (N.H.  Rev.  Stat.  Ann.  §§359-H:l  to  359-H:6)， Rhode  Island  (R.I. 
Gen.  Laws  §11-52.2-2,  R.I.  Gen.  Laws  §11-52.2-7),  Texas  (Tex.  Business  & 
Commerce  Code  Ann.  §§48.001  to  48.203,  Tex.  Business  &  Commerce  Code 
Ann.  §§324.001  to  324.102),  Utah  (Utah  Code  Ann.  §§13-40-101  to  13-40- 
401)， and  Washington  (Wash.  Rev.  Code  §§19.270.101  to  19.270.900) 
(National  Conference  of  State  Legislatures.  2008).  They  represent  28 
percent  of  the  U.S.  states.  Having  new  laws  is  one  of  the  many  alternative 
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solutions  for  this  new  issue. 

In  recent  years,  however,  dozens  of  cases  have  also  been  filed  against 
spyware.  At  least  11  actions  have  been  taken  by  FTC.  Others  have  been 
taken  at  state  and  federal  levels.  The  prohibited  activities  in  these  cases 
can  fall  into  one  or  more  of  the  following: 

1.  Tracking  consumers1  Internet  activity  or  collects  other  personal 
intonation; 

2.  Changing  consumers’  preferred  Internet  homepage  or  other 
browser  settings; 

3.  Inserting  a  new  toolbar  onto  consumers’  Internet  browsers,  inserts 
a  new  bar,  frame  or  window  onto  consumers’  browser  windows  that  in  turn 
displays  advertisements; 

4.  Displaying  numerous  ” pop  up”  advertisements  on  consumers’ 
computer  screens  during  a  single  computer  session， even  when  consumers’ 
Internet  browsers  are  closed; 

5.  Installing  a  dialer  program  on  consumers’  computers; 

6.  Changing  a  user  s  "error"  page  or  DNS  page; 

7.  Inserting  advertising  hyperlinks  into  third-party  webpages;  or 

8.  Installing  other  advertising  software  code， file,  or  content  on 

consumers1  computers  (see  FTC  v.  ERG  Ventures,  LLC， Civil  Action  No.: 
3:06-CV-00578-LRH-VPC,  FTC  File  Nos.:  062-3192;  X070004;  FTC  v. 

Enternet  Media,  Inc.  Conspy  and  Co,  Inc.  Lida  Rohbani,  Nima  Hakimi， 
Baback  Hakimi  and  Nicholas  C.  Albert,  Civil  Action  No.:  CV05-7777CAS 
(AJWx)， FTC  File  No.:  052  3135;  FTC  File  No.  X06-0003). 

From  these  cases,  we  can  see  that  existing  laws,  either  those  not 
specifically  designed  against  spyware  or  those  specifically  designed 
against  spyware,  have  been  applied  in  legal  fight  against  spyware.  A 
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diversified  range  of  provisions  on  offences  can  be  applied  to  the  acts 
involving  spyware,  including,  for  example, 

1.  Knowingly  and  with  intent  to  defraud  trafficking  in  or  using  one  or 
more  unauthorized  access  devices  during  any  one-year  period,  and  by  such 
conduct  obtaining  anything  of  value  aggregating  $1,000  or  more  during 
that  period  (U.S.C.§1029(aX2))  (United  States  v.  Mario  Alberto 
Simbaqueba  Bonilla). 

2.  Intentionally  accessing  a  computer  without  authorization  or 
exceeding  authorized  access,  and  thereby  obtaining  information  from  any 
department  or  agency  of  the  United  States  (18  U.S.C.  §  1030(a)  (2)  (B) 
(United  States  v.  Kenneth  Kwak). 

3.  Intentionally  accessing  a  computer  without  authorization  or 
exceeding  authorized  access,  and  thereby  obtaining  information  from  any 
protected  computer  if  the  conduct  involved  an  interstate  or  foreign 
communication  (18  U.S.C.  §  1030(a)  (2)  (C))  (United  States  v.  George 
Nkansah  Owusu;  United  States  v.  John  J.  Gannitto;  United  States  v. 
Cheryl  Ann  Young). 

4.  Knowingly  and  with  intent  to  defraud,  accessing  a  protected 
computer  without  authorization,  or  exceeding  authorized  access,  and  by 
means  of  such  conduct  furthering  the  intended  fraud  and  obtaining 
anything  of  value,  unless  the  object  of  the  fraud  and  the  thing  obtained 
consists  only  of  the  use  of  the  computer  and  the  value  of  such  use  is  not 
more  than  $5,000  in  any  1-year  period  (18  U.S.C.  §  1030(a)  (4))  (United 
States  Hario  Tandiwidjojo;  United  States  v.  John  Schiefer;  United  States  v. 
Van  T.  Dinh;  United  States  v.  Juju  Jiang). 

5.  Knowingly  causing  the  transmission  of  a  program,  information, 
code,  or  command,  and  as  a  result  of  such  conduct,  intentionally  causing 
damage  without  authorization,  to  a  protected  computer  (18  U.S.C 
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§  1 0 3 0 (a) (5) (A) (i)) (U nite d  States  v.  Christopher  Maxwell;  United  States  v. 
Jeanson  James  Ancheta;  United  States  v.  Robert  Matthew  Bentley; 
United  States  v.  Jason  Michael  Downey). 

6.  Causing  (or,  in  the  case  of  an  attempted  offense,  would,  if 
completed,  have  caused)  loss  to  1  or  more  persons  during  any  1-year  period 
(and,  for  purposes  of  an  investigation,  prosecution,  or  other  proceeding 
brought  by  the  United  States  only,  loss  resulting  from  a  related  course  of 
conduct  affecting  1  or  more  other  protected  computers)  aggregating  at 
least  $5,000  in  value  (18  U.S.C.§1030(a)(5)(B)(i))  (United  States  v. 
Christopher  Maxwell;  United  States  v.  Robert  Matthew  Bentley). 

7.  Causing  the  modification  or  impairment,  or  potential  modification 
or  impairment,  of  the  medical  examination,  diagnosis,  treatment,  or  care 
of  1  or  more  individuals  (18  U.S.C.  §  1030(a)  (5)  (B)  (ii))  (United  States  v. 
Christopher  Maxwell). 

8.  Causing  damage  affecting  a  computer  system  used  by  or  for  a 
government  entity  in  furtherance  of  the  administration  of  justice,  national 
defense,  or  national  security  (18  U.S.C.  §  1030(a)  (5)  (B)  (v))  (United  States 
v.  Kenneth  Kwak). 

9.  Intentionally  intercepting,  endeavoring  to  intercept,  or  procuring 
any  other  person  to  intercept  or  endeavor  to  intercept,  any  wire,  oral,  or 
electronic  communication  (18  U.S.C.§2511(l)(a))  (United  States  v.  Jerome 
T.  Heckenkamp;  United  States  v.  Cheryl  Ann  Young). 

10.  Sending  through  the  mail,  or  sending  or  carrying  in  interstate  or 
foreign  commerce,  any  electronic,  mechanical,  or  other  device,  knowing  or 
having  reason  to  know  that  the  design  of  such  device  renders  it  primarily 
useful  for  the  purpose  of  the  surreptitious  interception  of  wire,  oral,  or 
electronic  communications  (18  U.S.C.  §2512(l)(a))(United  States  v.  Carlos 
Enrique  Perez-Melara). 
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11.  Manufacturing,  assembling,  possessing,  or  selling  any  electronic, 
mechanical,  or  other  device， knowing  or  having  reason  to  know  that  the 
design  of  such  device  renders  it  primarily  useful  for  the  purpose  of  the 
surreptitious  interception  of  wire,  oral， or  electronic  communications,  and 
that  such  device  or  any  component  thereof  has  been  or  will  be  sent 
through  the  mail  or  transported  in  interstate  or  foreign  commerce  (18 
U.S.C.  §2512(1)  (b))  (United  States  v.  Carlos  Enrique  Perez-Melara). 

12.  Placing  in  any  newspaper,  magazine,  handbill,  or  other 
publication  or  disseminating  by  electronic  means  any  advertisement  of 
any  electronic,  mechanical,  or  other  device  knowing  or  having  reason  to 
know  that  the  design  of  such  device  renders  it  primarily  useful  for  the 
purpose  of  the  surreptitious  interception  of  wire,  oral,  or  electronic 
communications  (18  U.S.C.  §2512(l)(c)(i))，  or  any  other  electronic, 
mechanical,  or  other  device,  where  such  advertisement  promotes  the  use  of 
such  device  for  the  purpose  of  the  surreptitious  interception  of  wire,  oral, 
or  electronic  communications,  knowing  the  content  of  the  advertisement 
and  knowing  or  having  reason  to  know  that  such  advertisement  will  be 
sent  through  the  mail  or  transported  in  interstate  or  foreign  commerce  (18 
U.S.C.  §2512(l)(c)(ii))  (United  States  v.  Carlos  Enrique  Perez-Melara). 

Some  other  cases  fall  into  unfair  methods  of  competition  in  or 
affecting  commerce,  and  unfair  or  deceptive  acts  or  practices  in  or 
affecting  commerce  (15  U.S.C.  §§ 45(a)  (b))  (FTC  v.  ERG  Ventures,  LLC). 

Indeed， these  clauses  and  cases  have  been  effective  in  establishing  a 
certain  degree  of  deterrence  against  malicious  profit-harvesters  in 
spyware  business.  It  is  not  impossible  that  existing  laws  can  be  applied  to 
phenomena  with  a  bit  new  features.  The  options  have  to  be  weighed 
against  the  price  of  legislating  process.  In  Europe,  it  is  more  likely  that 
the  current  Convention  on  Cybercrime  will  be  applied  to  the  issue  of 
spyware,  when  an  act  causes  comparable  harm  as  that  of  illegal  access, 
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illegal  interception,  data  interference,  system  interference,  and  misuse  of 
devices.  The  advantage  of  a  broadly  defined  consensus  in  advance  can  be 
perceived  if  legislators  in  the  world  cannot  follow  the  change  of 
technologies， unless  legislators  are  powerful  enough,  as  in  the  US,  to 
obtain  inexhaustible  budget  for  their  lobbying  in  endless  legislating 
activities. 


Conclusion 

Spyware  poses  a  substantial  menace  to  security,  integrity  and 
confidentiality  of  information  systems.  Originating  from  online 
commercial  advertising  strategies,  spyware  can  be  used  to  deceive  users, 
forcibly  revise  system  setup,  and  secretly  collect  information  from  host 
computer.  This  Chapter  puts  spyware  on  a  platform  of  social  legal 
phenomena,  giving  a  review  of  taxonomy,  characteristics,  threatened 
interests  and  interest  group  revolving  around  the  standpoints  for  and 
against  the  prohibition  of  spyware.  Spyware  is  developing  as  a  new 
business.  Many  different  players  are  participating  in  the  division  of  labor 
and  share  of  profits  in  this  business.  These  players  can  be  divided  into 
insiders  and  outsiders.  Upon  its  appearances,  the  Chapter  takes  a  look  at 
current  legal  actions  against  spyware.  Even  though  there  have  been 
abundant  reasons  to  be  sure  that  old  laws  are  not  sufficient  to  prevent 
spyware  in  general,  to  some  extent,  existing  laws  provide  effective  means 
for  combating  some  specific  spyware-related  activities. 
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CHAPTER  X  ECONOMIC  APPROACH  TO 
CYBERCRIME 


General  theory  of  punishment  in  law  and  economics 

The  idea  of  deterrence  has  existed  in  fragmented  forms  for  several 
centuries  in  both  eastern  and  western  philosophy  and  law.6  However,  it  is 
generally  accepted  that  the  identification  of  economic  aspects  in  illegal 
activities  began  in  the  US  in  the  late  1960s.  Gary  S.  Becker’s  article 
“Crime  and  Punishment:  An  Economic  Approach”， published  in  1968， is 
considered  the  earliest  study  of  crime  from  an  economic  perspective. 
Becker  seeks  to  observe  criminal  behaviour  in  the  light  of  purely  economic 
factors  as  he  perceives  crime  as  the  consequence  of  rational  estimations  of 
the  lawbreaker.  The  economic  approach  to  crime  starts  from  a  plain 
hypothesis  that  all  people  take  action  rationally,  and  make  a  decision 
whether  to  perpetrate  crime  by  comparing  the  benefits  and  costs  of 
engaging  in  crime.  If  the  action  produces  more  expected  benefits  than 
expected  costs,  the  person  will  carry  out  the  action,  even  if  it  is  an 
unlawful  act. 

6  The  literature  presenting  the  deterrence  argument  goes  back  to  Beccaria  (1774);  Bentham  (1789);  and 
Blackstone  (1765-69). 
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The  individual  estimates  all  her  or  his  actual  opportunities  of  gaining 
legal  returns,  the  sum  of  returns  offered  by  these  opportunities,  the  sum  of 
returns  offered  by  different  illicit  ways,  the  probability  of  being  arrested  if 
she  or  he  acts  illegally， and  the  possible  penalty  if  she  or  he  is  seized.  After 
making  these  estimations,  she  or  he  chooses  the  act  or  profession  with  the 
maximum  discounted  return.7 


The  two  fundamental  points  of  departure  can  be  summarized  as: 

Crime  rates  respond  to  the  costs  and  benefits  of  committing  crime; 

People  respond  to  deterring  incentives. 

It  followings  that  devoting  resources  to  detection,  conviction  and 
punishment  should  influence  the  level  of  crime.  The  deterrence  hypothesis 
can  be  illustrated  by  Figure  1.  The  horizontal  axis  shows  the  amount  of 
crime  committed  by  an  individual,  which  could  be  measured  by  the 
number  of  offences  and  the  vertical  axis  measures  costs  and  benefits.  If 
the  marginal  cost  (MCi)  of  criminal  activity  rise  and  the  marginal  benefits 
(MB)  fall,  as  shown,  there  is  an  optimal  level  of  crime  (C*)  where  marginal 
cost  intersects  marginal  benefit.  Marginal  cost  shows  the  minimum  return 
required  before  an  individual  would  engage  in  successive  units  of  crimes: 
it  is  therefore  a  supply  function  for  crime.  Marginal  benefit  shows  the 
maximum  the  individual  would  pay  for  the  opportunity  to  undertake 
successive  units  of  crime,  ignoring  his  costs,  and  can  be  regarded  as  the 
demand  for  crime. 

Economists  suggests  we  can  influence  individuals  to  reduce  their 
criminal  activity  by  undertaking  policies  to  shift  the  marginal  cost 
function  upwards  and  the  marginal  benefit  function  downwards. 


Following  Becker  (1968)， the  deterrence  hypothesis  can  be  formulated 


as: 


7  Becker  as  cited  in  Sullivan  (1973),  p.141. 
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EU=pU(Y-f)+(l-p)U(Y) 


Where  p=probability  of  capture  and  punishment;  U=utility  (assumed 
measurable);  EU=expected  utility;  f=value  of  punishment;  Y=income  if 
undetected.  The  cost-benefit  calculation  of  the  rational  criminal  implies 
that  both  increasing  the  probability  of  detection  and  increasing  the 
severity  of  the  punishment  reduce  the  criminal’s  expected  utility  and 
should  deter  crime. 

An  extensive  scope  of  economic  studies  of  crime  has  been  undertaken 
since  Becker’s  preliminary  work. 8  To  date， the  application  of  these 
theoretical  frameworks  has  been  established  on  or  expanded  to  the  field  of 
particular  crimes.  During  this  process,  the  classic  theories  have  been 
undergoing  continuous  revision  and  updating. 

At  the  same  time,  the  crimes  people  commit  changes  as  the  society 
changes.  It  has  already  been  recognized  that  with  the  advent  of  complex 
computer  technology， social  changes  brought  about  by  technology  appear 
capable  of  occurring  with  devastating  rapidity.  The  social  scientists  must 
try  to  recognize  the  bases  of  change  more  quickly  in  the  information  age9 
than  before  (Peters  1971:31).  While  the  economy  is  increasingly  dependent 
on  the  information  systems， the  cybercrime  is  eroding  the  basis  of  this 
economy.  How  to  implement  suitable  punishment  to  cybercrime?  This  is 
one  of  the  questions  law  and  economics  must  be  devoted  to  answer.  There 
have  already  been  a  number  of  initial  efforts  to  analyze  cybercrime  and 
punishment  with  this  approach,  though  the  current  achievements  are 
relatively  fragmented. 


However,  it  should  be  always  borne  in  mind  that  supremacist 

8  For  example,  Stigler  (1970);  Harris  (1970);  Ehrlich  (1973,  1975);  Ehrlich  and  Mark  (1977).  For  an 
overview  of  the  early  literature  on  the  economics  of  crime  see  Sullivan  (1973).  For  more  recent  studies 
see,  Adreano  (1980);  Findlay  (1999);  Hellmann  (1980);  Rottenberg  (1973). 

9  .  .....  ... 

The  term  "Information  Age’  was  coined  by  Wilson  Dizard  in  his  1982  book  "The  coming  information 
age:  an  overview  of  technology,  economics,  and  politics”， published  by  Longman  in  New  York  in  1982. 
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viewpoint  about  law  and  economics  have  always  been  criticized  in  the 
academia.  Biological,  psychological,  social,  political,  religious,  and  lifestyle 
factors  have  certain  influences  on  crime.  Mental  illness  and  duress  of 
unemployment  may  be  the  just  reasons  why  people  in  the  condition 
become  irrational  risk  takers.  Buchanan  and  Hartle/s  (1992)  allegation 
that  if  criminals  were  genetically  predisposed  towards  a  life  of  crime,  it 
would  be  difficult  to  give  explanation  to  why  the  original  prisoner 
population  of  Australia  did  not  bring  about  a  heaven  of  criminals, 
apparently  ignores  the  fact  that  the  biological  factors  do  not  always 
represent  genetic  factors.  The  deterrent  mechanism  does  not  work  when 
we  punish  those  who  do  harm  to  others  under  mental  illness,  or  under 
necessity.  That’s  why  laws  provide  that  these  situations  are  defenses 
against  indicting.  While  we  more  and  more  turn  to  economic  analysis,  we 
are  not  completely  refusing  the  contribution  of  other  elements  in  the 
phenomenon  of  crime. 


Factors  influencing  the  detection  and  conviction  probability  of 
cybercrime 


Cybercrime  is  highly  concealed 


For  the  hackers,  the  likelihood  of  being  caught  and  convicted  is  low.  The 
greatest  advantage  to  a  cybercrime  is  the  ability  to  commit  crimes  against 
people  and  never  be  punished  or  even  identified  (Philip  2002).  There  are 
countless  cybercrimes  that  are  not  made  public  due  to  private  industry’s 
reluctance  to  publicize  its  vulnerability  and  the  government’s  concern  for 
security  (Hatcher  et  al.  1999:  397,  399).  The  term  "dark  figure",  used  by 
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criminologists  to  refer  to  unreported  crime,  has  been  applied  to 
undiscovered  computer  crimes  (UN  Manual,  par.  30).  The  computer 
criminal  is  less  likely  to  be  caught  than  the  bank  robber  is,  and  less  likely 
to  be  convicted.  Because  of  limited  awareness  and  experience  of  system 
administrators  and  users,  many  intrusions  are  not  detected  (COM(2000) 
890  final,  11). 

Firstly,  one  of  the  biggest  difficulties  law  enforcement  agencies  face  is 
that  electronic  crimes  are  difficult  to  detect  (Wolf  2000:100).  The  electronic 
records  or  software  resulting  from  the  offences  can  be  electronically 
altered,  deleted  or  erased  by  hackers  in  a  brief  instant,  or  in  the  normal 
course  of  events,  before  it  can  be  captured  as  evidence  (Park  2004;  Parker 
and  Nycum  1984:313).  Untraceable  use  of  an  Internet  site,  with  the 
permission  of  the  site’s  controllers,  is  quite  easy  to  arrange.  Even  if  we 
record  the  intruder’s  activities  and  try  to  trace  him  to  his  source,  this 
would  require  a  long  term  of  work  and  the  cooperation  of  many 
organizations10  in  possibly  many  countries.  Roughly  speaking,  less  than 
one  in  ten  successful  computer  intrusions  are  detected  (Molander  et  al. 
1996). 

Secondly,  it  is  possible  for  people  to  remain  anonymous  while 
communicating  or  performing  other  activities  over  the  Internet.  At  the 
user  level,  the  account’s  name  of  email  messages  and  newsgroup  articles  is 
not  required  to  bear  any  resemblance  to  that  of  its  user;  a  considerable 
degree  of  anonymity  is  available.  If  complete  anonymity  is  wanted,  a  file 
can  be  sent  to  another  user  who  then  retransmits  it  as  a  newsgroup  article 
or  electronic  mail  message.  If  the  retransmitting  user  is  an  automatic 

10  See  generally  Stoll  (1988),  484-497  (telling  a  story  of  how  Lawrence  Berkeley  Laboratory  traced  a 
German  trespasser  on  the  U.  S.  military  networks,  who  slipped  through  operating  system  security  holes 
and  browsed  through  sensitive  databases.  “Tracing  the  activity  was  challenge  because  the  intruder 
crossed  many  networks,  seldom  connected  for  more  than  a  few  minutes  at  a  time,  and  might  be  active 
at  any  time.”  Ibid,  486). 
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program  rather  than  a  person,  the  protection  is  even  greater.  Evidently, 
such  an  arrangement  makes  identification  of  and  enforcement  of  laws 
against  the  sender  extremely  intricate,  particularly  if  the  retransmitter  is 
in  another  jurisdiction  (Kingdon  1994). 

Because  of  the  make-up  of  the  Internet,  it  is  sometimes  difficult  for 
law  enforcement  officers  to  discover  the  identity  of  a  hacker  (Harris  2001). 
A  hacker  might  hide  or  "spoof'  his  IP  address,  or  might  intentionally 
bounce  his  communications  through  many  intermediate  computers 
scattered  throughout  the  world  before  arriving  at  a  target  computer.  The 
investigator  must  then  identify  all  the  bounce  points  to  find  the  location  of 
the  hacker,  but  usually  can  only  trace  the  hacker  back  one  bounce  point  at 
a  time.  In  cases  that  a  victim  who  has  no  record  of  the  IP  address,  that 
some  ISPs  lack  of  the  mechanisms  to  keep  suitable  records,  that  some 
computer  hackers  alter  the  logs， or  that  some  leads  go  through  foreign 
countries  which  do  not  consider  hacking  a  crime,  this  limits  law 
enforcement  officers  to  traditional  investigative  techniques,  which  alone 
may  be  inadequate  to  identify  the  hacker  (National  Police  Agency  1998). 

At  the  same  time,  it  is  not  difficult  to  introduce  a  new  computer  to  the 
Internet  that  has  the  ability  to  be  recognized  anywhere  on  the  Internet. 
Registration  requirements  are  not  difficult  to  satisfy,  and  there  is  little  to 
prevent  transfer  of  the  site  to  new  controllers.  In  general,  proof  of  identity 
requirements  for  Internet  use  is  very  weak  (Department  of  Treasury 
Office  of  Tax  Policy  1996:24). 

Furthermore,  people  are  always  anxious  that,  without  anonymity  on 
the  Internet,  it  is  not  possible  to  guarantee  fundamental  rights 
(COM(2000)  890  final,  20;  National  Police  Agency  1998).  The  European 
Union  Data  Protection  Working  Paily’s  Recommendation  considers  the 
issue  of  anonymity  on  the  Internet  as  being  at  the  centre  of  a  dilemma  for 
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governments  and  international  organizations. 11  On  the  one  hand， the 
possibility  of  remaining  anonymous  is  essential  if  the  fundamental  rights 
to  privacy  and  freedom  of  expression  are  to  be  maintained  in  cyberspace. 
On  the  other  hand,  the  ability  to  participate  and  communicate  online 
without  revealing  one’s  identity  runs  against  the  grain  of  initiatives  being 
developed  to  support  the  fight  against  cybercrime  (COM(2000)  890  final, 
20).  This  brings  a  sense  of  security,  and  gives  individuals  the  courage  to  do 
the  outrageous  and  sometimes  even  resort  to  illegal  activities  (Philip  2002). 
Individuals  may  seek  to  play  pranks,  or  steal,  cause  loss  or  harm,  or 
commit  fraud.  It  sometimes  takes  days， weeks  or  even  months  before  acts 
of  cybercrime  are  detected,  and  by  that  time  the  perpetrators  are  able  to 
cover  their  tracks  and  maintain  their  anonymity  (Philip  2002). 

Thirdly,  the  mechanisms  by  which  crimes  are  enacted  within 
computers  are  sometimes  invisible  to  the  corporate  or  organisational 
victims  (Parker  and  Nycum  1984:313).  The  invisibility  of  cybercrimes  is 
based  on  several  factors:  sophisticated  technology,  investigating  officials’ 
lack  of  sufficient  training,  absent  of  victims’  contingency  plan  for 
responding  to  incidents,  and  the  reluctance  of  victims  to  report  computer 
offences  (UN  Manual,  par.  30,  31).  Even  if  intrusions  are  detected， victims 
tend  not  to  report  intrusions,  particularly  to  law  enforcement.  In  cases,  the 
victim  company  does  not  know  which  law  enforcement  entity  to  call 
(Salgado  2001).  Frequently  quoted  sources  place  figures  for  reporting 
intrusions  to  law  enforcement  between  11%  and  17%. 12  The  documented 
reasons  behind  the  reluctance  to  take  legal  actions  are  mainly  for  fear  of 
adverse  publicity,  public  embarrassment  or  loss  of  goodwill,  the  loss  of 
investor  or  public  confidence,  the  resulting  economic  consequences  such  as 


11  The  Article  29  Data  Protection  Working  Party  (1999). 

12  See  Mardesich  (1996),  IE. 
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the  panic  effect  that  this  information  would  create  on  their  stock  prices, 13 
and  exposure  to  future  attacks  (COM(2000)  890  final,  11).  Some  experts 
have  suggested  that  these  factors  have  a  significant  impact  on  the 
detection  of  computer  crime  (UN  Manual,  par.  31).  The  rate  of  unknown 
occurrences  of  computer  crimes  has  increased  as  a  result  (Park  2004). 

Fourthly,  unlike  more  traditional  threats  that  the  criminal  is 
physically  present  at  the  crime  scene,  the  cybercriminal  usually  is  not 
present  at  the  crime  scene  thus  making  apprehension  difficult  (Speer 
2000:260).  Cybercrimes  are  jurisdictionally  complex,  usually  necessitating 
involvement  by  more  than  one  authority,  and  often  hindering  state 
authorities’  ability  to  pursue  complete  investigations  (Roush  1995:36).  In 
an  increasingly  networked  world,  it  is  increasingly  likely  that  an  intruder 
would  enter  at  least  one  foreign  system,  perhaps  even  without  knowledge 
of  having  done  so.  Legal  measures  to  ease  these  jurisdictional 
impediments  are  not  unattainable,  but  are  likely  to  place  an  even  greater 
burden  on  an  international  response  (Ramo  1996:32). 

Finally,  many  of  the  technological  advances  that  benefit  businesses 
hinder  investigative  efforts  (Institute  for  Security  Technology  Studies 
2002).  The  burden  imposed  by  jurisdictional  complexities  is  aggravated  by 
the  highly  resource-intensive  nature  of  computer  crime  investigations. 
Staffing  a  response  capability  involves  the  cost  of  procuring  and  frequently 
updating  hardware  and  software,  and  training  and  retaining  qualified 
personnel.  14  Perhaps  most  significantly,  these  investigations  are 
extraordinarily  time-intensive  (O’Connor  1997:3C). 

13  See  Carter  (1995),  21;  Roush  (1995),  32,  34;  Gelbstein  and  Kamal  (2002),  2;  McKenna  (2003) 
(reporting  that  research  carried  out  in  December  2002  among  40  members  of  IISyG  -  a  group  of  IT 
security  directors  and  managers  in  the  City  of  London  and  in  government  -  revealed  that  fear  of 
damage  to  corporate  reputation  prevented  over  two -thirds  of  organisations  from  reporting  incidences  of 
cybercrime.  Companies  scared  of  damaging  their  corporate  image  are  masking  the  true  extent  of 
cybercrime.) 

14  See  generally  Philip  (2002). 
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Needs  are  revealed  in  areas  such  as  data  collection,  log  analysis,  and 
Internet  protocol  tracing  (Institute  for  Security  Technology  Studies  2004). 
The  needs  of  cyber  investigators  have  not  been  met  by  the  available 
technology  solutions  (American  Society  for  Industrial  Security  2004:40).  In 
order  to  fill  the  jobs  that  opened,  the  FBI  is  aggressively  recruiting  people 
with  electrical  engineering  and  computer-science  backgrounds.  For  those 
applicants,  it  has  waived  its  usual  requirement  of  three  years  of  work 
experience  (Fields  2004). 

Of  course,  there  is  inevitably  critics  pointing  out  that  the  cyber 
policemen  always  ask  for  more  money,  more  wiretap,  bugs  in  computers 
and  sell  phones,  weak  encryption  and  permission  to  implement  Clipper 
chip  technology.15  Nevertheless,  no  more  arrests  follow  (Koch  2000). 

The  criminal’s  concealment  costs  themselves  are  a  social  waste. 16 
Concealment  may  also  exert  other  costs  on  society.  It  may  decrease  a 
crime’s  expected  sanction,  and  thus  decrease  the  incentives  not  to  cause 
harm  to  others.  In  addition,  concealing  activities  on  the  part  of  criminals 
raise  the  law  enforcement  costs  that  must  be  spent  to  reach  this 
probabilistic  level. 17 

The  concealment  of  cybercrime  proves  the  low  probability  of 
punishment.  The  prosecution  of  cybercrime  is  very  expensive.  Only  the 
large  severity  of  the  penalty  can  increase  the  expected  cost  of  the 

15  CLIPPER  is  an  NS  A  developed,  hardware  oriented,  cryptographic  device  that  implements  a 
symmetric  encryption/ decryption  algorithm  and  a  law  enforcement  satisfying  key  escrow  system. 
While  the  escrow  management  system  design  is  not  completely  designed,  the  cryptographic  algorithm 
(SKIPJACK)  is  completely  specified  (and  classified  SECRET).  The  cryptographic  algorithm  has  the 
following  characteristics:  1. Symmetric,  80-bit  key  encryption/decryption  algorithm;  2.  Similar  in 
function  to  DES  (namely,  basically  a  64-bit  code  book  transformation  that  can  be  used  in  the  same  four 
modes  of  operation  as  specified  for  DES  in  FIPS81);  3.  2  rounds  of  processing  per  single 
encrypt/decrypt  operation;  4.  Design  started  by  NS  A  in  1985;  evaluation  completed  in  1990.  See 
Computer  Security  Devision  (1993). 

16  That  the  costs  of  committing  crimes  are  social  wastes  was  noted  by  Tullock  (1967). 

17  C.f.  Stanley  (1995),  p.2. 
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cybercriminal  and  thus  deter  more  cybercrime.  However,  with  no  penalty 
for  some  less  serious  crimes  and  only  severe  penalty  for  more  serious 
crimes,  there  would  seem  to  be  incentives  for  a  lot  of  less  serious  crimes. 
Given  the  same  level  of  punishment  of  different  level  of  crimes,  some 
criminals  who  would  have  committed  less  serious  crimes  may  find  it 
worthwhile  to  commit  crimes  that  are  more  serious. 18  This  is  due  to  that 
the  marginal  deterrence  would  be  weaker  if  there  is  less  difference 
between  the  punishments  of  the  two  types  of  crimes.  Using  more  severe 
punishments  for  less  serious  crimes  often  precludes  using  a  graduated 
schedule  of  punishments  as  a  deterrent  to  more  serious  crimes.  The  more 
serious  crimes  have  a  greater  payoff  than  less  serious  crime,  but  the 
punishment  was  the  same.  Therefore,  if  one  were  going  to  commit  the 
crime,  there  would  be  a  strong  incentive  to  commit  the  more  serious  one. 
The  schedule  of  punishment  does  not  reflect  the  concept  of  marginal 
deterrence. 19 

Cybercrime  is  transnational  and  ubiquitous,  obstructing  the  establishment 
of  jurisdiction 


In  any  country,  the  court  must  have  jurisdiction  over  the  person  or  the 
subject  matter  of  a  lawsuit  in  order  to  be  able  to  try  it.  This  works  well 
with  the  current  setup  of  law  enforcement  agencies  that  are  very 
territorial  and  operate  within  distinct  village,  town,  district,  city， county, 
state  or  province,  or  country  lines.  However,  unauthorised  access  to 
information  systems  can  be  accomplished  from  virtually  anywhere  on  the 


18 

19 


Ibid. 

Ibid. 
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network, 20  because  the  communications  capability  of  cyberspace  allows 
criminals  to  more  easily  conspire  to  commit  crimes,  and  to  do  so  without 
being  in  geographic  proximity  of  one  another  or  the  target  (Lenk  1997). 
The  international  characteristic  of  cybercrime  is  evident  (National  Police 
Agency  1998).  The  area  of  legal  jurisdiction  further  complicates  the 
cybercrime  enforcement  (Lee  et  al.  1999:873).  Since  different  countries 
have  different  laws  about  computer  crime,  questions  can  arise  as  to 
whether  a  "crime"  has  actually  been  committed  at  all  (Lenk  1997). 

Smith,  Grabosky， and  Urbas  (2004)  concluded  that  the  transnational 
dimension  of  cybercrime  poses  four  formidable  challenges  for  prosecutors: 
to  determine  whether  the  conduct  in  question  is  criminal  in  their  own 
jurisdiction,  to  assemble  sufficient  evidence  to  mobilise  the  law,  to  identify 
the  perpetrator  and  to  determine  his  or  her  location,  and  to  decide 
whether  to  leave  the  matter  to  local  authorities  or  extradite  the  offender 
(Smith,  Grabosky  and  Urbas  2004:48-49).  While  the  major  international 
organisations,  like  the  Organisation  for  Economic  Cooperation  and 
Development  (OECD)  and  the  Group  of  Eight,  are  seriously  discussing 
cooperative  schemes,  many  countries  do  not  share  the  urgency  to  combat 
cybercrime  for  many  reasons,  including  different  values  concerning  piracy 
and  espionage  or  the  need  to  address  more  pressing  social  problems.  These 
countries,  inadvertently  or  not,  present  the  cybercriminals  with  a  safe 
haven  to  operate.  Never  before  has  it  been  so  easy  to  commit  a  crime  in 
one  jurisdiction  while  hiding  behind  the  jurisdiction  of  another. 

The  elimination  of  borders  favours  interjurisdictional  criminal 


20  See  the  United  States  v.  Tenebaumv  (Israel),  18  March  1998,  Israeli  hacked  United  States  military 
computers;  United  States  v.  Gorshkov  (W.D.  Wash)  4  October  2002,  Russian  hacker;  United  States  v. 
McKinnon  I  (E.D.  Va.)  and  II  (D.  N.J.)  12  November  2002,  British  National  hacked  into  United  States 
Military  Networks;  United  States  v.  Zezev  (S.D.  N.Y.)  1  July  2003,  Hackers  from  Kazakhstan;  United 
States  v.  Ivanov  (D.  Conn.)  25  July  2003,  Russian  hacker,  also  charged  in  C.D.  Cal  ,E.D.  Cal  ,  W.D. 
Wash,  and  D.  N.J. 
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mobility.  Rational  criminals  will  commit  their  acts  where  the  marginal 
cost  of  one  more  crime  is  lower  (Garoupa  2003).  This  marginal  cost  is 
determined  by  law  enforcement  policies  and  transportation  and 
communication  costs.  This  effect  should  lead  to  competition  among  the 
different  jurisdictions  to  have  a  tougher  law  enforcement  policy  in  order  to 
avoid  immigration  of  offenders.  This  competition  would  produce  a  waste  of 
resources  because  each  jurisdiction  ignores  the  loss  of  welfare  on  other 
jurisdictions.  Therefore,  a  cooperative  solution  internalizes  this  externality 
(Garoupa  2003).  Due  to  the  difficulty  in  establishing  jurisdiction,  even  if  a 
certain  offence  is  detected,  it  is  still  uncertain  whether  the  way  leads  to 
punishment. 

Suggestions  have  been  made  to  incorporate  cyberspace  into  various 
jurisdiction  frameworks.  However,  this  will  take  a  great  deal  of  time, 
agreement  and  co-operation  between  countries.  Various  countries  are  still 
struggling  to  establish  treaties  to  sort  out  these  issues. 


Cybercrime  is  complicated,  prohibiting  efficient  investigation,  evidence 
collection  and  conviction 


The  Internet  allows  for  communication  and  planning  of  criminal  activity 
in  different  ways  than  in  even  the  recent  past.21  To  make  matters  worse, 
the  information  on  how  to  infiltrate  a  corporation  is  freely  available  on  the 
Internet  (Behar  1997:66).  The  incapacities  stem  ultimately  from  the  fact 
that  the  information  infrastructure  is  transnational  in  nature.  Attackers 

21  C.f.  Lenk  (1997).  The  evolution  of  the  attack  mechanism  in  1982  is  password  guessing,  1984  Self- 
replicating  code,  1985  password  cracking,  1986  Exploiting  known  vulnerabilities,  1988  Disabling  audit 
mechanisms,  1989  Use  of  back  doors  in  programs,  1990  Hijacking  sessions,  1991  Sweepers,  1992 
Packet  sniffers,  1 993  Stealth  diagnostics,  1 994  Packet  spoofing,  1 995  Graphic  user  interfaces  for  attack 
tools,  1996  Automated  probes  and  scans,  1997  Denial  of  service,  1998  Web  attacks,  1999  Macro 
viruses,  and  2000  distributed  attacks.  See  Longstaff  (1999). 
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deliberately  fashion  their  efforts  to  exploit  the  absence  of  internationally 
agreed  standards  of  behaviour  and  cooperation.  Attackers  can  avoid 
prosecution  or  greatly  complicate  investigations  simply  by  initiating 
attack  packets  from  countries  with  inadequate  laws,  and  routing  them 
through  countries  that  with  different  laws  and  practices,  and  no 
structures  for  cooperation  (Sofaer  et  al.  2000). 


Any  corporation  connected  to  the  Internet  is  vulnerable  to  hacker 
intrusions  because  the  Internet  is  accessed  by  hundreds  of  millions  of 
people  (Adams  1996:406). 


Cybercrime  is  expensive， attracting  more  potential  offenders  to  produce  it 


In  the  sense  of  losses  caused  by  cybercrime,  it  is  so  expensive  that  no  other 
activity  can  be  its  substitute.  Sometimes， the  “losses”  of  an  offence  might 
not  necessarily  be  pure  social  cost.  Some  of  the  wealth  might  be 
transferred  from  the  victim  to  the  offender.  Generally,  the  more  the 
offender  obtains,  the  more  the  victim  loses.  In  some  other  cases  where  the 
offender  does  not  acquire  substantial  property,  the  “losses”  of  a  victim’s 
money  or  health  has  meaning  in  satisfying  the  offender’s  psychological 
demand.  Both  cases,  the  offender  has  expected  benefits.  Again,  the  more 
the  victim  loses,  or  the  more  seriously  the  victim  is  damaged,  the  more  the 
offender  is  satisfied. 

In  understanding  the  costs  of  crime,  the  usable  approach  is  the 
accounting  exercise  where  researchers  just  try  to  add  up  all  of  the  losses 
from  crime.  The  largest  loss  category  is  usually  the  values  of  lives  lost  due 
to  murder.  Other  straightforward  costs  include  the  amount  that  is  spent 
on  crime  prevention.  These  costs  would  include  the  amount  that  is  spent 
by  the  government  on  police  and  the  judiciary.  Crimes  cost  estimates  have 
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generally  been  unable  to  quantify  the  social  costs  that  accrue  from 
underinvestment  in  the  legal  sector  because  criminals  appropriate  returns. 

It  has  proved  difficult  to  give  an  accurate,  reliable  overview  of  the 
extent  of  losses  and  the  actual  number  of  cybercriminal  offences  (UN 
Manual,  par.  27).  Serious  damages  can  be  caused  by  either  one  or  just  a 
few  persons’  simple  operations  or  tricks.  Especially,  by  taking  advantage 
of  the  development  of  the  ICT  where  various  computer  systems  are 
connected  together  by  online  networking,  a  few  professional  hackers  are 
capable  of  breaking  down  national  infrastructures  and  major 
communication  systems  (Park  2004). 

Notwithstanding  the  whole  world  is  being  acting  actively  to  combat 
cybercrime,  the  number  of  cybercrime  is  still  on  the  rise  and  that  their  cost 
is  increasing  exponentially  (CSI/FBI  2000).  International  estimates 
indicate  that  cybercrime  costs  approximately  $50  billion  annually  in  2002 
(Hale  2002:5-6)， and  reached  $400  billion  in  2005  (McAfee  Virtual 
Criminology  Report  2005:5).  The  meaning  of  this  2005  number  may  be 
well  understood  if  we  compare  it  with  the  “911”  attacks22  which  cost  New 
York  City  at  least  $17  billion.  And  terrorism  is  forecast  to  knock  .25%  off 
the  world  economy's  growth  rate  -  an  impact  of  around  $75  billion 
(Davidson  2003).  That  is  to  say,  the  worldwide  overall  cybercrimes  bleed 
the  economy  nearly  24  times  of  the  “911”， if  they  are  comparable.  In 
addition,  companies  are  investing  heavily  in  a  variety  of  security 

22  ..... 

The  September  11,  2001  attacks  were  a  series  of  coordinated  attacks  carried  out  in  the  United  States 

on  Tuesday,  September  11,  2001.  According  to  the  official  9/11  Commission  Report,  nineteen  men 
hijacked  four  commercial  airliners.  Two  were  crashed  into  the  World  Trade  Center,  shortly  after  which 
both  towers  collapsed.  The  third  aircraft  crashed  into  the  the  Pentagon.  The  fourth  plane  crashed  into  a 
rural  field  in  Pennsylvania.  The  attacks  were  the  most  lethal  terrorist  acts  ever  carried  out  in  the  United 
States  and  most  lethal  individual  attacks  in  the  world.  The  September  1 1th  attacks  are  arguably  the 
most  significant  events  to  have  occurred  so  far  in  the  21st  century  in  terms  of  the  profound  economic, 
social,  cultural,  and  military  effects  that  followed  in  the  United  States  and  many  parts  of  the  world.  See 
generally  National  Commission  on  Terrorist  Attacks  upon  the  United  states,  9/1 1  Commission  report, 
August  2004,  at  http://www.9-l  1  commission. gov/report/9 1  lReport.pdf. 
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technologies.  These  investments  are  dramatic  evidence  of  the  huge  costs 
being  inflicted  by  cybercrime.  To  these  amounts  must  be  added  the  costs  of 
cybercrime  insurance,  a  new  coverage  for  an  expanding  market.  This  is 
not  unrealistic,  if  we  recall  that  the  IMF  June  2002  Global  Financial 
Stability  Report  reflects  a  conservative  total  insured  losses  for  911  of 
around  44  billion  US  Dollars  (IMF  2002:38). 

The  direct  cost  typically  associated  with  preventing  or  recovering  from 
cybercrime-investments  in  intrusion- detention  systems,  lost  productivity, 
overtime  for  IT  staff  to  fix  compromised  systems-have  all  become  an 
unfortunate  but  accepted  part  of  doing  business,  and  they  rarely  affect  a 
company’s  revenue  over  time  or  its  stock  prices.  The  real  financial  damage 
done  by  cybercrime  stems  from  breaches  of  confidence.  Such  breaches  can 
drive  down  revenue  over  time,  and  stock  market  investors  consider  that 
possibility  by  lowering  their  estimation  of  the  worth  of  the  company’s  stock. 
Companies  that  suffer  a  confidentiality  violation  lose  more  than  5  percent 
of  their  market  value  on  average  (Loeb  2004:69). 

A  survey  by  Sunil  Wattal  and  Rahul  Telang  of  Carnegie  Mellon 
University  in  Pittsburgh,  Pennsylvania,  analysed  the  economic  impact  on 
18  software  suppliers,  including  Microsoft,  Cisco,  IBM  and  Red  Hat. 
Announcing  vulnerability  in  one  of  these  companies1  products  caused,  on 
average,  a  0.6  per  cent  fall  in  its  stock  price,  or  an  $860  million  fall  in  the 
company’s  value  (Telang  and  Wattal  2005:3). 

Costs  of  cybercrime  are  only  a  part  of  the  social  loss  of  cyber  crime. 
According  to  Becker,  the  social  loss  of  crime  was  defined  as  the  sum  of  the 
costs  of  crime,  costs  of  arrests  and  convictions,  and  the  costs  of  sanctions. 
The  probability  and  severity  of  punishment  was  determined  in  order  to 
minimize  this  sum  (Becker  1968).  Costs  of  cybercrime  are  difficult  to 
measure;  however,  these  costs  are  reasonably  substantial  (Garg  et  al.  2003) 
and  are  essentially  doubling  each  year  (Lukasik  2000).  The  problem 


254 


becomes  even  more  complicated  when  one  considers  that  these  crimes  are 
underreported  (Ullman  and  Ferrera  1998). 

What  makes  the  situation  worse  is  that  cybercrime  is  not  only 
expensive， but  also  is  in  the  process  of  rapid  increase.  Only  if  it  reaches 
the  stage  of  saturation,  the  development  speed  could  begin  to  decrease. 
Furthermore,  Public-funded  law  enforcement  is  stymied  by  territorial  laws 
and  frontiers  that  are  not  even  lines  on  the  map  in  cyberspace.  Budget - 
constrained  government  agencies  average  about  49  months  to  order, 
acquire,  and  install  new  computer  systems  vs.  about  9  months  in  the 
private  sector.  Criminals  can  purchase  state-of-the-art  technology  as  soon 
as  it  becomes  available  (Webster  and  de  Borchgrave  1998). 


Cybercrime  is  rampant,  with  the  increase  rate  higher  than  the  increase  rate 
of  deterrence 


The  enormous  and  exponentially  growing  capacities  for  electronic  storage, 
transmission  and  rapid  manipulation  of  binary  data  changed  the  modern 
landscape  virtually  overnight  (Fraser  2003). 

Engineering  for  ease  of  use  is  not  being  matched  by  engineering  for 
ease  of  secure  administration.  The  gap  between  the  knowledge  needed  to 
operate  a  system  and  that  needed  to  keep  it  secure  is  resulting  in 
increasing  numbers  of  vulnerable  systems  (Allen  2001). 

The  rapid  quantitative  increase  in  the  criminality  and  its  qualitative 
changes,  caused  by  the  aggravation  of  contradictions  indifferent  regions  of 
public  life,  by  the  frequent  reorganisations  of  the  system  of  law- 


enforcement  agencies,  the  imperfection  of  legislation  and  its  frequent 
change,  contribute  to  the  acceleration  of  the  process  of  the  development  of 
computer  criminality  as  social  phenomenon. 
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People  call  for  making  the  punishment  fit  the  cybercrime  (Vamosi 
2003),  but  how?  Undeterred  by  the  prospect  of  arrest  or  prosecution,  cyber 
criminals  around  the  world  lurk  on  the  Net  as  an  omnipresent  menace  to 
the  financial  health  of  businesses,  to  the  trust  of  their  customers,  and  as 
an  emerging  threat  to  nations’  security.  Headlines  of  cyber  attacks 
command  our  attention  with  increasing  frequency  (McConnell 
International  LLC.  2000). 

Although  several  countries,  particularly  in  Europe  and  Asia,  were 
found  to  have  addressed  a  number  of  these  broader  information  security 
factors,  few  countries  were  able  to  demonstrate  that  adequate  legal 
measures  had  been  taken  to  ensure  that  perpetrators  of  cyber  crime  would 
be  held  accountable  for  their  actions  (McConnell  International  LLC.  2000). 


Extent  of  progress  on  updating 
cybercrime  laws 


□  No  updated 
laws 

■  Subtantially  or 
fully  updated 
(10) 

□  Partially 
updated  (9) 


Figure  8  Extent  of  progress  on  updating  cybercrime  laws 
Source:  McConnell  International  LLC.  2000. 
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Figure  8  provides  a  categorization  of  the  52  countries  surveyed.  The 
laws  of  most  countries  do  not  clearly  prohibit  cyber  crimes.  Existing 
terrestrial  laws  against  physical  acts  of  trespass  or  breaking  and  entering 
often  do  not  cover  their  “virtual”  counterparts.  According  to  the  principle 
of  “nullum  crimen  sine  lege， mulla  poena  sine  lege,”  lacking  of  law 
punishing  cybercrime  sets  up  the  deterrent  probability  at  zero,  while  the 
actual  punishment  is  also  zero.  Then,  the  expected  utility  of  the  offender 
equals  the  utility  when  he  or  she  is  undetected. 

Even  if  there  is  such  law， effective  law  enforcement  is  complicated  by 
the  transnational  nature  of  cyberspace.  Mechanisms  of  cooperation  across 
national  borders  to  solve  and  prosecute  crimes  are  complex  and  slow. 
Cyber  criminals  can  defy  the  conventional  jurisdictional  realms  of 
sovereign  nations,  originating  an  attack  from  almost  any  computer  in  the 
world,  passing  it  across  multiple  national  boundaries,  or  designing  attacks 
that  appear  to  be  originating  from  foreign  sources.  Such  techniques 
dramatically  increase  both  the  technical  and  legal  complexities  of 
investigating  and  prosecuting  cyber  crimes  (McConnell  International  LLC. 
2000). 

The  development  of  cybercrime  necessitates  the  updating  of  law.  For 
instance,  six  weeks  after  the  Love  Bug  attack,  the  Philippines  outlawed 
most  computer  crimes  as  part  of  a  comprehensive  e-commerce  statute 
(McConnell  International  LLC.  2000). 


Factors  influencing  the  severity  of  punishment  against 
cybercrime 


As  the  conclusions  of  McConnell  International  LLC.  (2000)， weak  penalties 
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limit  deterrence.  Why  does  creating  a  virus  carry  lighter  penalties  than 
marijuana  offences?  (McCullagh  2004).  The  possible  answer  from 
economists  will  be  related  to  the  elasticity  of  these  two  kinds  of  crime. 
Unlike  the  marijuana  offences  that  are  inelastic， cybercrime  is  more 
elastic.  Tougher  punishment  for  drug  crime  will  be  less  effective  than  for 
cybercrime.  But  considering  the  marginal  deterrence,  when  the 
punishment  is  too  light  for  cybercrime,  it  certainly  does  not  deter,  either. 
Lack  of  certain  degree  of  severity,  punishment  will  not  prevent  potential 
criminals  from  committing  crimes  they  are  planning,  because  even  if  they 
are  probably  captured,  their  expected  benefit  is  still  higher  than  expected 
cost.  It  is  the  marginal  deterrence  of  the  punishment  but  not  the  elasticity 
of  the  crime  is  working. 

There  is  a  good  excuse  for  capital  punishment  from  the  viewpoint  of 
law  and  economics,  saying  that  some  countries  are  relatively  poor  and 
probably  cannot  afford  to  invest  on  detecting  criminals,  lengthy  convicting 
and  sentencing,  and  enforcing  the  imprisonment  sentence.  Therefore, 
capital  punishment  is  still  reserved  in  many  countries,  and  is  being 
further  extended  to  cybercrime. 

Principally,  capital  punishment  cannot  be  applied  to  the  specific 
cybercrime  provided  in  Chinese  criminal  law  (Articles  285,  286).  However, 
capital  punishment  can  be  applied  to  the  previous  offences  utilizing 
computer  information  systems,  e,g.  offence  of  financial  fraud,  theft, 
embezzlement， theft  of  national  secret,  and  other  offences  (Article  287).  If 
criminals  are  rational,  they  will  respond  to  increases  in  the  expected  value 
of  punishment  by  reducing  their  criminal  activity.  Even  if  they  are  driven 
by  irrational  factors,  as  long  as  they  react  rationally,  at  the  margin  of  their 
activity,  this  response  will  follow  (Garoupa  2003). 


However,  at  the  same  time,  some  methods  adopted  in  some  countries 
cannot  completely  explained  by  the  above  theory.  Take  the  example  of 
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applying  long-term  imprisonment  to  the  offences  with  low  detection 
probability.  The  expense  of  the  long-term  imprisonment  is  quite  huge. 
Then， it  may  be  said  that  under  these  circumstances,  the  governmental 
investment  is  insufficient,  while  the  emphasis  is  put  on  execution,  the 
detection  is  ignored.  This  is  related  to  the  value  orientation  of  the 
government. 

Some  countries  completely  breach  the  rational  choice.  They  seem  to  be 
hard  to  afford  for  detection,  conviction  and  execution,  while  on  the  other 
hand  they  established  cyber  police， employing  huge  police  forces.  The 
tasks  of  these  cyber  police  include  detection  and  evidence  collection,  as 
well  as  cybercrime  prevention  with  techniques  and  human  resources, 
forming  a  “cyber  information  dam”.  The  expense  is  also  huge. 

In  these  countries,  the  concerns  on  privacy  of  individuals  abdicate  to 
the  national  security  and  social  order.  It  proves  that,  in  the  information 
age,  the  public  organs  get  increasingly  greater  power  of  surveillance  and 
interception.  Since  1990s， the  world  is  frequently  attacked  by  the 
terrorists,  individuals’  individualism  is  gradually  submerged  by  the  voice 
of  national  interests  and  international  co-operation.  The  role  of 
punishment  in  the  deterrence  of  crime  is  undoubtedly  unearthed.  Whether 
in  poor  or  wealthy  countries,  the  severe  punishment  is  being  used 
universally  to  cybercrime.  This  can  be  explained  as  decreasing  the 
expected  benefits  of  cybercrime  while  increasing  the  expected  costs, 
forcing  the  offenders  to  give  up  committing  the  offences  and  to  choose  legal 
activities.  This  implicates  that  the  means  the  modern  countries  take  to 
decrease  crime  are  direct  prevention,  plus  increasing  detection  probability 
and  increasing  punishment  severity. 

However,  the  following  factors  deserve  further  consideration: 

1.  Whether  the  information  dam  is  effective?  The  filtering  and 
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blocking  of  information  is  expensive  and  ineffective.  As  the  substitute  of 
severe  punishment,  it  is  either  the  necessary  waste  of  democracy 
(compared  with  over-criminalization),  or  the  necessary  limit  to  democracy 
(compared  with  information  freedom).  Private  deterrence  effort  might  fail 
as  public  deterrence  increases.  Individuals  might  be  less  vigilant  about 
crime  if  they  felt  the  authorities  had  it  under  control.  Firms  should  secure 
their  networked  information.  Governments  should  assure  that  their  laws 
apply  to  cyber  crimes.  Firms,  governments,  and  civil  society  should  work 
cooperatively  to  strengthen  legal  frameworks  for  cyber  security 
(McConnell  International  LLC.  2000). 

2.  Whether  the  severe  punishment  is  cheap?  There  have  been 
hundreds  of  studies  done  concerning  the  cost  of  the  death  penalty,  proving 
that  the  death  sentence  is  not  only  expensive  but  also  easy  to  execute  the 
innocent.  The  cost  of  imprisonment  is  also  high.  Because  the  cost  of  severe 
punishment  costs  differently  in  different  countries,  the  legislature  and  the 
law  enforcement  have  the  different  tendency  in  implement  different 
severity  of  punishments,  which  can  bring  about  further  jurisdictional 
problems. 

3.  Whether  the  severe  punishment  is  effective?  Imposition  of  severe 
punishment  on  light  offence  has  the  effect  of  inciting  serious  offence.  Some 
crime  could  be  displaced  to  another  offence  type,  time  or  location.  If 
criminals  have  target  incomes,  deterrence  could  imply  that  more  crime 
would  occur,  for  example,  there  could  be  more  attempted  break-ins  that 
the  police  managed  to  halt.  The  deterrence  of  established  criminals  could 
encourage  the  entry  of  replacements  into  the  crime  industry.  Given  that 
the  detection  probability  is  very  low,  and  there  is  no  way  to  increase  it,  the 
severe  punishment  again  meets  the  limitation.  It  turns  out  that  the  severe 
punishment  does  not  work.  According  to  the  formulation,  when  p=0， the 
expected  utility  of  the  offender  equals  the  utility  when  he  or  she  is 
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undetected.  So,  the  severe  punishment  to  some  extent  needs  the  support  of 
the  detection  probability.  Or  else  it  loses  any  foundation  on  which  it  exists. 
The  punishment  delivers  no  deterrence  at  all. 


Conclusion 


Although  people  are  sure  that  poor  information  security  reduces  the 
competitiveness  of  nations  (McConnell  International  LLC.  2000)， as  yet 
there  is  no  mechanism  as  perfect  as  to  eliminate  this  negative  externality 
of  information  economy.  The  co-existence  of  various  mechanisms 
inevitably  causes  conflicts  and  wastes.  The  result  of  the  economic  analysis 
of  the  punishment  on  cybercrime  seems  to  destroy  all  hypotheses. 
However,  the  society  does  not  shrivel.  The  coordinative  framework  of  the 
cyberspace  needs  the  coordinative  countermeasures  of  the  society.  Even  if 
the  cost  is  high,  the  success  rate  is  low,  after  hard  game,  the  balance 
between  crime  and  punishment  will  be  reached  at  last. 
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CHAPTER  XI  CONCLUSIONS 


The  current  information  systems  are  insecure  systems,  while  the  present 
Internet  is  an  insecure  network.  Cyberspace  can  be  considered  as  the 
expansion  of  society,  while  cybercrime  is  the  extension  of  criminal 
phenomena.  Although  cyberspace  is  not  entirely  independent,  there  is  the 
possibility  and  even  necessity  for  autonomy  within  the  independent 
factors.  Technicians  are  constantly  inventing  technological 
countermeasures  to  deal  with  issues  of  cybersecurity,  but  an  increasing 
number  of  commentators  argue  that  the  techniques  of  security  cannot 
keep  pace  with  techniques  for  discovering  loopholes  in  information 
systems  and  for  launching  attacks  on  information  systems.  It  is 
impracticable  to  solve  the  whole  problem  merely  by  the  means  of 
technology. 

To  some  extent,  cybercrime  mobilizes  law.  Criminal  law  and  other 
laws,  professional  codes,  industrial  self-discipline  and  user  ethics  form 
guidelines,  though  their  functions  are  quite  varied  as  between  the 
different  countries.  Most  of  the  modern  democratic  countries  do  not 
exploit  penalties  as  primary  means  for  correcting  human  behaviour. 
Criminal  law  remains  the  main  tool.  However,  if  criminal  law  cannot 
respond  to  the  reality  of  crime,  if  law  cannot  be  enacted  to  impose  a 
suitable  liability  on  harmful  activities,  and  if  law  cannot  be  enforced  by 


qualified  personnel,  the  law  will  unquestionably  be  ineffective.  In  fact,  in 
the  current  technological  environment,  legislature  and  law  enforcement 
can  hardly  adjust  their  activities  in  response  to  the  new  situations. 
Criminal  law  becomes  a  law  the  principle  and  stability  of  which  hamper 
its  inherent  functions. 


Law-enforcement  agencies  have  found  that  it  is  much  more  complex 
to  detect， investigate,  and  convict  cybercriminals  than  traditional 
criminals.  In  the  networked  world,  it  has  become  increasingly 
uncomplicated  for  criminals  to  avoid  conviction  by  acting  from  a  country 
where  a  conduct  is  neither  criminalized  nor  prosecuted.  International 
cooperation  and  legal  harmonization  are  necessary  for  reducing 
investigation  costs  and  increase  enforcement  effects. 

As  we  mentioned  above,  the  insufficiency  of  the  existing  legal 
framework  and  the  inefficiency  of  detection  and  conviction  imply  that 
high  costs  will  be  involved  in  cybercriminal  law  enforcement.  An 
inefficient  and  ineffective  legal  framework  for  control  over  cybercrime  will 
run  the  risk  of  creating  new  unfairness  in  the  information  age.  The 
deficiency  of  law  and  the  prevalence  of  lawlessness  may  become  two  of  the 
most  notorious  negative  factors. 

Neither  laws  nor  technologies  can  do  everything  that  people  normally 
expect， even  in  their  duties.  The  more  appropriate  strategies  for  the 
control  of  cybercrime  require  an  arrangement  of  law  enforcement, 
technological  and  market-based  solutions. 
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